Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1558870
MD5:	8952118cbd8aac309af40b7ba020ac8e
SHA1:	9eb96e51892c77f644997905d5a7b680558e0aa0
SHA256:	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 968 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8952118CBD8AAC309AF40B7BA020AC8E)

taskkill.exe (PID: 2676 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6444 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3740 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3216 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1660 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6044 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4220 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 424 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7288 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747d96c5-fa42-4905-9d15-ce93fc205d38} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28e9326ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8044 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4252 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7623ebff-67b8-4a10-9a75-6288c6d1121d} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28ea3d89d10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7584 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5084 -prefMapHandle 5072 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {654f39dd-4c75-497d-973f-074fe45c9f11} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28eab432d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 968	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00FFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FFED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FEAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01019576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01019576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1336128865.0000000001042000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5633f6e9-6
Source: file.exe, 00000000.00000000.1336128865.0000000001042000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_563af566-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e886144a-d
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f4e2966f-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000025F6C438CF7 NtQuerySystemInformation,		18_2_0000025F6C438CF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000025F6C457372 NtQuerySystemInformation,		18_2_0000025F6C457372

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FEE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F88060	0_2_00F88060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF2046	0_2_00FF2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE8298	0_2_00FE8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBE4FF	0_2_00FBE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB676B	0_2_00FB676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01014873	0_2_01014873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8CAF0	0_2_00F8CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FACAA0	0_2_00FACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9CC39	0_2_00F9CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB6DD9	0_2_00FB6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F891C0	0_2_00F891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9B119	0_2_00F9B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1394	0_2_00FA1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1706	0_2_00FA1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA781B	0_2_00FA781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA19B0	0_2_00FA19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9997D	0_2_00F9997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F87920	0_2_00F87920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA7A4A	0_2_00FA7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA7CA7	0_2_00FA7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1C77	0_2_00FA1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB9EEE	0_2_00FB9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100BE44	0_2_0100BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1F32	0_2_00FA1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000025F6C438CF7	18_2_0000025F6C438CF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000025F6C457372	18_2_0000025F6C457372
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000025F6C4573B2	18_2_0000025F6C4573B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000025F6C457A9C	18_2_0000025F6C457A9C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F89CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F9F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FA0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@33/34@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF37B5 GetLastError,FormatMessageW,

0_2_00FF37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FE10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FE16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FF51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FF648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F842A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547039410.0000028EABA96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1568198094.0000028EAE530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747d96c5-fa42-4905-9d15-ce93fc205d38} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28e9326ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4252 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7623ebff-67b8-4a10-9a75-6288c6d1121d} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28ea3d89d10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5084 -prefMapHandle 5072 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {654f39dd-4c75-497d-973f-074fe45c9f11} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28eab432d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747d96c5-fa42-4905-9d15-ce93fc205d38} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28e9326ef10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4252 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7623ebff-67b8-4a10-9a75-6288c6d1121d} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28ea3d89d10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5084 -prefMapHandle 5072 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {654f39dd-4c75-497d-973f-074fe45c9f11} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28eab432d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.1548713420.0000028EAB770000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1548713420.0000028EAB798000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577010511.0000028EAB798000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.1524531821.0000028EA65E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570835123.0000028EA6671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA666B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553430001.0000028EA65E9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1575180176.0000028EA07C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.1578976046.0000028EA538C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.1558402983.0000028EA4568000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1567186066.0000028EA07A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdbdownloads-retry-download source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000E.00000003.1572884195.0000028EA5A3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565474302.0000028EA5A31000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4CC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4CC5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbdownloads-cmd-cancel source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdbidentity-connection-internal source: firefox.exe, 0000000E.00000003.1578976046.0000028EA538C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.1578976046.0000028EA538C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA344C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdbsponsored_enabled source: firefox.exe, 0000000E.00000003.1577282237.0000028EAB76A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549026710.0000028EAB74C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb@ source: firefox.exe, 0000000E.00000003.1556871661.0000028EA4C0E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdbwebrtc-allow-share-speaker source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gkcodecs.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbdownloads-error-extension source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdbfxa-menu-turn-on-sync-default source: firefox.exe, 0000000E.00000003.1548713420.0000028EAB770000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbwindow-minimize-command source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1574356364.0000028EA07C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564222649.0000028EA6892000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8oleaut32.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1574356364.0000028EA07C2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1575180176.0000028EA07C2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.1551323083.0000028EA6671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570835123.0000028EA6671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA666B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.1564054781.0000028EA68F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577579966.0000028EA68F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570716111.0000028EA68F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp_win.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA344C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1567186066.0000028EA07A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbtabbrowser-manager-mute-tab source: firefox.exe, 0000000E.00000003.1564222649.0000028EA6892000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.1564222649.0000028EA6892000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.1578976046.0000028EA538C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Storage.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.1564054781.0000028EA68F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577579966.0000028EA68F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570716111.0000028EA68F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb^/pagead/.\.js.fcd=true$ source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C77000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdbdownloads-cmd-show-downloads source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4CC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4CC5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.1578976046.0000028EA538C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000E.00000003.1527751559.0000028EA4C0E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbdownloads-cmd-show-description-2downloads-cmd-copy-download-link source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.1578976046.0000028EA538C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.1555797149.0000028EA4C72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554107710.0000028EA653A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564472425.0000028EA6540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522916922.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34CE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 0000000E.00000003.1559811444.0000028EA34F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559811444.0000028EA34E8000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA0A76 push ecx; ret

0_2_00FA0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F9F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01011C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01011C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97541

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000025F6C438CF7 rdtsc

18_2_0000025F6C438CF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FEDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBC2A2 FindFirstFileExW,	0_2_00FBC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF68EE FindFirstFileW,FindClose,	0_2_00FF68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FF698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FF9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FF979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FF9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FF5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: firefox.exe, 00000010.00000002.2595252593.000002A6F7C8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: firefox.exe, 00000010.00000002.2603606752.000002A6F8205000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2595252593.000002A6F7C8A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2601679782.0000025F6C2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2602594416.000002A6F8115000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000013.00000002.2601400642.000002423EE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMV
Source: firefox.exe, 00000012.00000002.2595086262.0000025F6BBFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 00000013.00000002.2594766695.000002423E9FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW04
Source: firefox.exe, 00000010.00000002.2603606752.000002A6F8205000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2601679782.0000025F6C2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000012.00000002.2601679782.0000025F6C2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb}5

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000025F6C438CF7 rdtsc

18_2_0000025F6C438CF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFEAA2 BlockInput,

0_2_00FFEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FB2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00FA4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FE0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA09D5 SetUnhandledExceptionFilter,	0_2_00FA09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FA0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00FE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FC2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEB226 SendInput,keybd_event,

0_2_00FEB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEE3B9 mouse_event,

0_2_00FEE3B9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00FE0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FE1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.1516374824.0000028EADF01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA0698 cpuid

0_2_00FA0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FF8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDD27A GetUserNameW,

0_2_00FDD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FBB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FBB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 968, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 968, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01001204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01001806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
s-part-0012.t-0009.t-msedge.net	13.107.246.40	true	false	high
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.241.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	208.80.154.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.64.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.81.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.1420692807.0000028EA56E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565828243.0000028EA56E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573381019.0000028EA56E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2595996200.0000025F6BEC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2597479479.000002423EDC4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.co.uk/WebExtensionDictionaryManifestWebExtensionLangpackManifestOptionalPermissio	firefox.exe, 0000000E.00000003.1422935933.0000028EA4D64000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1558402983.0000028EA456B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1491701951.0000028EAB64E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584758495.0000028EAB64E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408448288.0000028EAB650000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000013.00000002.2597479479.000002423ED8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422935933.0000028EA4D64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418012998.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1547039410.0000028EABAD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1569242464.0000028EAB7B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547039410.0000028EABA96000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 0000000E.00000003.1595480710.0000028EA411A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1383220124.0000028EA2E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1387443637.0000028EA3021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388520806.0000028EA3060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388336632.0000028EA3040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388712120.0000028EA307F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1421523532.0000028EA43AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555797149.0000028EA4CAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558880112.0000028EA3CCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4CAA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1522916922.0000028EA66F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1520348019.0000028EABAB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388520806.0000028EA3060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1449690853.0000028EA576F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388336632.0000028EA3040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388712120.0000028EA307F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0	firefox.exe, 0000000E.00000003.1601796952.000001A377103000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1383220124.0000028EA2E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1387443637.0000028EA3021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388520806.0000028EA3060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388336632.0000028EA3040000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.1433045900.0000028EA3A4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1427408743.0000028EA398F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.1565828243.0000028EA56BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1546351986.0000028EABB6A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 0000000E.00000003.1545107568.0000028EAE577000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1545876423.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.1461862352.0000028EA57B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1447461638.0000028EA57EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464873811.0000028EA57B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418012998.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1473452507.0000028EA4E7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474464952.0000028EA4E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1547039410.0000028EABAD2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418012998.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1519880112.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561159058.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545876423.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.1548713420.0000028EAB770000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420692807.0000028EA56E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565828243.0000028EA56E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573381019.0000028EA56E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2595996200.0000025F6BEC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2597479479.000002423EDC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1596812517.0000028EAB42C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1473452507.0000028EA4E7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474464952.0000028EA4E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1529540737.0000028EA4151000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1518407077.0000028EAE5BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=ht?	firefox.exe, 00000012.00000002.2601199805.0000025F6BF20000.00000004.00000020.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1421523532.0000028EA43AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555797149.0000028EA4CAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4CAA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1557939628.0000028EA4798000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.2598274170.000002A6F80C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2595996200.0000025F6BEE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2601827978.000002423EF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1547039410.0000028EABAD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2595996200.0000025F6BE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418012998.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.2598274170.000002A6F8072000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2595996200.0000025F6BE86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1522916922.0000028EA66F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=htOS	firefox.exe, 00000010.00000002.2597145278.000002A6F7DB0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.1474464952.0000028EA4E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/searchcbe309e0-f638-4996-9dfc-ea5c19ef16e9a620b506-c3ae-4332-97bb-19	firefox.exe, 0000000E.00000003.1422935933.0000028EA4D64000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/menu-tools-layout-debugger	firefox.exe, 0000000E.00000003.1566932821.0000028EA55AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554659339.0000028EA55AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1592669798.0000028EA33DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1536978069.0000028EA446B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571918972.0000028EA6628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584758495.0000028EAB644000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588188317.0000028EA33F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1528912448.0000028EA4165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467948510.0000028EA69EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564682043.0000028EA652D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1462483324.0000028EA42C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566932821.0000028EA55AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554400714.0000028EA652D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555123532.0000028EA53E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1524812620.0000028EA53E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554659339.0000028EA55AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421270840.0000028EA51F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578539608.0000028EA53E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564383798.0000028EA6875000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577524872.0000028EAB461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507433344.0000028EA576F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1528912448.0000028EA414C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1465822303.0000028EA580B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.1433045900.0000028EA3A4D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1522916922.0000028EA66E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA66E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570835123.0000028EA66E5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1577835931.0000028EA5A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572884195.0000028EA5A3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522544757.0000028EAB509000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565474302.0000028EA5A31000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1577835931.0000028EA5A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572884195.0000028EA5A3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522544757.0000028EAB509000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565474302.0000028EA5A31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1491701951.0000028EAB64E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584758495.0000028EAB64E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1422935933.0000028EA4D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1423379896.0000028EABB4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562622649.0000028EABB4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB4D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1390868769.0000028EA2B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1392151892.0000028EA2B1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589644564.0000028EA2B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1392395890.0000028EA2B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582159782.0000028EA2B2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1536667127.0000028EA2B39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.1474464952.0000028EA4E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1519383719.0000028EAD4AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568277156.0000028EAD4B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 0000000E.00000003.1595480710.0000028EA411A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1522916922.0000028EA663A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551323083.0000028EA6641000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570835123.0000028EA664B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1473452507.0000028EA4E7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474464952.0000028EA4E82000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1390868769.0000028EA2B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1392151892.0000028EA2B1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589644564.0000028EA2B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1392395890.0000028EA2B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582159782.0000028EA2B2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1536667127.0000028EA2B39000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1519880112.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561159058.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545876423.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1568822664.0000028EAB7B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1422935933.0000028EA4D64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418012998.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1388712120.0000028EA307F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.1423593406.0000028EABB13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1387443637.0000028EA3021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388520806.0000028EA3060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1449690853.0000028EA576F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388336632.0000028EA3040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1388712120.0000028EA307F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.1522916922.0000028EA66F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000010.00000002.2598274170.000002A6F80C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2595996200.0000025F6BEE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2601827978.000002423EF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.2596933122.000002A6F7D70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2602392340.0000025F6C3C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2596568568.000002423EB80000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.64.78	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558870
Start date and time:	2024-11-19 22:11:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@33/34@70/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.164.125.63, 52.12.64.98, 35.80.238.59, 142.250.176.206, 23.60.12.50, 23.60.12.19, 142.251.40.206, 142.251.40.234, 142.250.176.202
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 424 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:12:21	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
s-part-0012.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.40
	http://iglawfirm.com/services/antai-fr/	Get hash	malicious	Unknown	Browse	13.107.246.40
	http://sales-agreement-carpal-relative.s3.amazonaws.com/payout/completed/SEKTJGJFFJlfkdjklm4GHKHKYKFLFL/onedrive.html	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://blackearthpavement-my.sharepoint.com/:f:/p/justin/Ers-Js2n9AROj9DUuizyNWABOVK5z1CJ653Ryc0SphjDRg?e=3ZQaIF	Get hash	malicious	Unknown	Browse	13.107.246.40
	DofusInvoker.swf	Get hash	malicious	Unknown	Browse	13.107.246.40
	http://adf-ask-accessibility-daeeafembaazdzfk.z01.azurefd.net	Get hash	malicious	Unknown	Browse	13.107.246.40
	http://adf-ask-accessibility-daeeafembaazdzfk.z01.azurefd.net	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://www.rashakhodro.com/o/?c3Y9bzM2NV8xX29uZSZyYW5kPWJ6RkxWV3c9JnVpZD1VU0VSMTUwOTIwMjRVMTUwOTE1NDQ=N0123Ninfo@colemanenv.com	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://onedrive.live.com/view.aspx?resid=7AEF24C2ECCBD3A%21123&authkey=!ABehDrl0wDeSrDg	Get hash	malicious	Unknown	Browse	13.107.246.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Gherrera_Revised_Record_Adjustment_Antamina_Required_Signature.docx.doc	Get hash	malicious	Unknown	Browse	34.168.114.70
	https://form.jotform.com/243186396374063	Get hash	malicious	HTMLPhisher	Browse	34.54.32.121
	https://form.jotform.com/243186396374063	Get hash	malicious	HTMLPhisher	Browse	34.54.32.121
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://hopp.bio/wchn	Get hash	malicious	HTMLPhisher	Browse	34.149.87.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://form.jotform.com/243186396374063	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	Nota1893.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Nota1893.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://form.jotform.com/243186396374063	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://doc-zionsurgery.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Gherrera_Revised_Record_Adjustment_Antamina_Required_Signature.docx.doc	Get hash	malicious	Unknown	Browse	34.168.114.70
	https://form.jotform.com/243186396374063	Get hash	malicious	HTMLPhisher	Browse	34.54.32.121
	https://form.jotform.com/243186396374063	Get hash	malicious	HTMLPhisher	Browse	34.54.32.121
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://hopp.bio/wchn	Get hash	malicious	HTMLPhisher	Browse	34.149.87.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd71d07-40d6-4302-99d5-b50ea16f9055.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.176716465149555
Encrypted:	false
SSDEEP:	192:akMvMXP7scbhbVbTbfbRbObtbyEl7nkrTJA6unSrDtTkd/S9D:akFAcNhnzFSJErq1nSrDhkd/cD
MD5:	0BF9F4BE0F9730943CD85996DF551608
SHA1:	CEEC4649B1FB4139403297BB7CF6745116BB60F0
SHA-256:	723F286C16B00E56606907E3921E684510D780CC91CC39C73143B82E6617D26B
SHA-512:	BA5784F0B9B6986E3ECC35A34BA4562F031BE8D56D21D2A5212A8B7DCA1B208F5E45FAD8DD58C50418383D3C6B1FB418179E871FB9D360B070F60D7BC85371CD
Malicious:	false
Preview:	{"type":"uninstall","id":"dfd71d07-40d6-4302-99d5-b50ea16f9055","creationDate":"2024-11-19T23:13:09.730Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd71d07-40d6-4302-99d5-b50ea16f9055.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.176716465149555
Encrypted:	false
SSDEEP:	192:akMvMXP7scbhbVbTbfbRbObtbyEl7nkrTJA6unSrDtTkd/S9D:akFAcNhnzFSJErq1nSrDhkd/cD
MD5:	0BF9F4BE0F9730943CD85996DF551608
SHA1:	CEEC4649B1FB4139403297BB7CF6745116BB60F0
SHA-256:	723F286C16B00E56606907E3921E684510D780CC91CC39C73143B82E6617D26B
SHA-512:	BA5784F0B9B6986E3ECC35A34BA4562F031BE8D56D21D2A5212A8B7DCA1B208F5E45FAD8DD58C50418383D3C6B1FB418179E871FB9D360B070F60D7BC85371CD
Malicious:	false
Preview:	{"type":"uninstall","id":"dfd71d07-40d6-4302-99d5-b50ea16f9055","creationDate":"2024-11-19T23:13:09.730Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.942525998425827
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLC68P:8S+Oc+UAOdwiOdKeQjDLC68P
MD5:	198947F5C381718784FDCCE7EE7CF7E6
SHA1:	44F77F76599C0621E8E8375DBFB2937AEFBDCE40
SHA-256:	02DB6B7AD806A3A67EBED1654C34C8CC50B81583B994EEE005C1273020B2DEEA
SHA-512:	06D21127A276426309794051FFC00B39426A031B97BA790CAB2C877D090AE93D67BCB88345F53012BE58311B728310C0BC0A9C23CC0F97ECE6A68F0232436B07
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.942525998425827
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLC68P:8S+Oc+UAOdwiOdKeQjDLC68P
MD5:	198947F5C381718784FDCCE7EE7CF7E6
SHA1:	44F77F76599C0621E8E8375DBFB2937AEFBDCE40
SHA-256:	02DB6B7AD806A3A67EBED1654C34C8CC50B81583B994EEE005C1273020B2DEEA
SHA-512:	06D21127A276426309794051FFC00B39426A031B97BA790CAB2C877D090AE93D67BCB88345F53012BE58311B728310C0BC0A9C23CC0F97ECE6A68F0232436B07
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329021336285203
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiU:DLhesh7Owd4+ji
MD5:	BF4F815406824436B07D2E0C6FFE1AE8
SHA1:	30152AFE0BBB23FFC6CB4FF98EE7EC554906C019
SHA-256:	A7D2096C309DE91D7DBBCB3D4587E9C79FC28F4FA3D5C787FE54E8FAA32F0F5A
SHA-512:	61C15DF0BE2F352376B0BA2EC77E6636561613FD1232763DBCC3E4C26540D85F9EAE7DBB2D39A2D3BFE15593D68120633A7058DDF0D3F6C4B505A3EA26B50389
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFLmT73QS/BlI/ltlstFLmT73QS/B/lx89//alEl:GtWtI33QMBiltWtI33QMBtx89XuM
MD5:	A677D871898EDE6E0CE0D3BDCEC98E8C
SHA1:	D58013B5D8F877981B781C5D4C0BC6FE0934537D
SHA-256:	49CCDEDE08B55050A065993E8E2BDE23ACAE5E9FA9735FE0927D695451076F94
SHA-512:	4EC19388C50EDDCE3A58335DDD81A404A5BEA2D5D9E7A8362EF22A776958F69852C9F925BB287E29638756230CDD78DDA0DA15F86ADCF6CAA104327B12CFF562
Malicious:	false
Preview:	..-.....................\.5.og..uof.^..y...7....-.....................\.5.og..uof.^..y...7..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039668019826374044
Encrypted:	false
SSDEEP:	3:Ol1nL4Iuq/o3QY2AzbJ37l8rEXsxdwhml8XW3R2:KJ1/Onz9Ll8dMhm93w
MD5:	8D93B96963C663771399D39FB6D06F54
SHA1:	AA0A7B92DE7B6CF65471352658D13526B54AB380
SHA-256:	48D2E396A54593DD7E370DAD9CB92635B8BD199FB088CDE5B4F06A3C996FEC30
SHA-512:	6C77FB10C65D77E2406665C3C8EB5F68A16CAFACEE4D30747C374FBD63459E57E89CCEAE56939249B691B7869EE811816D50734BCF515439EC8279FA8D255417
Malicious:	false
Preview:	7....-..........uof.^..yl-r..jM.........uof.^..y.5.\..go................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478635775194825
Encrypted:	false
SSDEEP:	192:lMnSRkyYbBp65qUCaXc6Vs2N6V5RHNBw8d0nSl:/eKqUnOyOPwx0
MD5:	3ED2A35C682E975D8392E2F1D0D409F2
SHA1:	F3F882619D73C2A3B024240E3AFC5E549E93661F
SHA-256:	7CA30B15E2A55ABCCB153403D1B1754F7C5718E8074D00F5F03B948A57A5D861
SHA-512:	0432A5809704A7EDAF936C945C6D5E36A5ACBA6AE37A8FD5C3677D51056DB0933A772CAA7C281B09BDCEB26A8E59EAFF3EB00EC4F92DAB619E076540CEF32DBC
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732057960);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732057960);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732057960);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173205

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478635775194825
Encrypted:	false
SSDEEP:	192:lMnSRkyYbBp65qUCaXc6Vs2N6V5RHNBw8d0nSl:/eKqUnOyOPwx0
MD5:	3ED2A35C682E975D8392E2F1D0D409F2
SHA1:	F3F882619D73C2A3B024240E3AFC5E549E93661F
SHA-256:	7CA30B15E2A55ABCCB153403D1B1754F7C5718E8074D00F5F03B948A57A5D861
SHA-512:	0432A5809704A7EDAF936C945C6D5E36A5ACBA6AE37A8FD5C3677D51056DB0933A772CAA7C281B09BDCEB26A8E59EAFF3EB00EC4F92DAB619E076540CEF32DBC
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732057960);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732057960);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732057960);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173205

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.338070373534897
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS75LXnIgxuf/pnxQwRlszT5sKhibX73eHVVPNZToamhuj3pOOcUb2d:GUpOxUpuZnR6A3etZTo45edHd
MD5:	521E01BCE92E04A10F9F6ED5B1CA591E
SHA1:	EEBC19ACC756CA17C3F84AC21E79D903111A55B2
SHA-256:	7834FBEF98DDE709C23B96D2E201FB373693F2B8E565EAF590380A279BD31939
SHA-512:	AB9A76FA52E85278FBF71A38D43846277421B3178407B2EF280F4E1ABCC41B18D79FD9F14AC2A0B628A0122909CA04497157F4F2069CD83F04B9DCEAEAAE6934
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ab9d00fa-5737-433a-a757-fa952b484e38}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732057966001,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P29463...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...35756,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.338070373534897
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS75LXnIgxuf/pnxQwRlszT5sKhibX73eHVVPNZToamhuj3pOOcUb2d:GUpOxUpuZnR6A3etZTo45edHd
MD5:	521E01BCE92E04A10F9F6ED5B1CA591E
SHA1:	EEBC19ACC756CA17C3F84AC21E79D903111A55B2
SHA-256:	7834FBEF98DDE709C23B96D2E201FB373693F2B8E565EAF590380A279BD31939
SHA-512:	AB9A76FA52E85278FBF71A38D43846277421B3178407B2EF280F4E1ABCC41B18D79FD9F14AC2A0B628A0122909CA04497157F4F2069CD83F04B9DCEAEAAE6934
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ab9d00fa-5737-433a-a757-fa952b484e38}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732057966001,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P29463...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...35756,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.338070373534897
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS75LXnIgxuf/pnxQwRlszT5sKhibX73eHVVPNZToamhuj3pOOcUb2d:GUpOxUpuZnR6A3etZTo45edHd
MD5:	521E01BCE92E04A10F9F6ED5B1CA591E
SHA1:	EEBC19ACC756CA17C3F84AC21E79D903111A55B2
SHA-256:	7834FBEF98DDE709C23B96D2E201FB373693F2B8E565EAF590380A279BD31939
SHA-512:	AB9A76FA52E85278FBF71A38D43846277421B3178407B2EF280F4E1ABCC41B18D79FD9F14AC2A0B628A0122909CA04497157F4F2069CD83F04B9DCEAEAAE6934
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ab9d00fa-5737-433a-a757-fa952b484e38}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732057966001,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P29463...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...35756,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.035969967405025
Encrypted:	false
SSDEEP:	48:YrSAYVeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycV+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	F89510727D5A882438703847C7D7FED6
SHA1:	00FAC0C02FC666E6F5E5BE910BDD5E71D555DBD7
SHA-256:	23DABD05F43262526D3854CE23D73C6360E70DB3365F030D10ECB1CEB7A71B8B
SHA-512:	C5F4111BADD24A73BBF2162FBB13EB8459BD88E7BA857A905909E7E6F945E4B8E02E25091F78F1EE3937A5046D7C48F1F6598CAF22BC9CA2290B18303DE8A44B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-19T23:12:25.203Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.035969967405025
Encrypted:	false
SSDEEP:	48:YrSAYVeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycV+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	F89510727D5A882438703847C7D7FED6
SHA1:	00FAC0C02FC666E6F5E5BE910BDD5E71D555DBD7
SHA-256:	23DABD05F43262526D3854CE23D73C6360E70DB3365F030D10ECB1CEB7A71B8B
SHA-512:	C5F4111BADD24A73BBF2162FBB13EB8459BD88E7BA857A905909E7E6F945E4B8E02E25091F78F1EE3937A5046D7C48F1F6598CAF22BC9CA2290B18303DE8A44B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-19T23:12:25.203Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592697144061893
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	8952118cbd8aac309af40b7ba020ac8e
SHA1:	9eb96e51892c77f644997905d5a7b680558e0aa0
SHA256:	f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a
SHA512:	4199640d12798c108f09d9007f29fd2f4f5a075986b5e257c5629dde340717d0199a92601262c020a55e6ab370c8f26e88c35d5a547fc02818244590502926c8
SSDEEP:	12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgamT1M:3qDEvCTbMWu7rQYlBQcBiT6rprG8a+a
TLSH:	47159E027391C062FFAB92334F5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673CFC48 [Tue Nov 19 20:59:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FEB1C9166D3h
jmp 00007FEB1C915FDFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FEB1C9161BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FEB1C91618Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FEB1C918D7Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FEB1C918DC8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FEB1C918DB1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa9bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa9bc	0xaa00	ce3e85ffdd9dfa40c64c432af606cb7a	False	0.3771599264705882	data	5.65032187562506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1c82	data			1.0015072622636338
RT_GROUP_ICON	0xde43c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde4b4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde4c8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde4dc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde4f0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde5cc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 22:12:16.795615911 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:16.795664072 CET	443	49797	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:16.801215887 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:16.808015108 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:16.808031082 CET	443	49797	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:17.009300947 CET	443	49797	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:17.012952089 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:17.021164894 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:17.021174908 CET	443	49797	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:17.021353960 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:17.021806002 CET	443	49797	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:17.025393009 CET	49797	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:17.354078054 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.354113102 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.354300976 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.354336977 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.359157085 CET	49806	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:17.360366106 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.360383987 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.361809969 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.361826897 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.363178015 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.363193035 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.449353933 CET	80	49806	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:17.468539953 CET	49806	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:17.468904018 CET	49806	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:17.559003115 CET	80	49806	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:17.560292006 CET	80	49806	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:17.566802979 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.567822933 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.575355053 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.576354027 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.577405930 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.577429056 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.577527046 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.577537060 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.582633018 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.582662106 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.582743883 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.583039045 CET	443	49805	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.584985971 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.585000038 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.585079908 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.585182905 CET	49805	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.585325956 CET	443	49804	142.250.64.78	192.168.2.7
Nov 19, 2024 22:12:17.585367918 CET	49804	443	192.168.2.7	142.250.64.78
Nov 19, 2024 22:12:17.610424042 CET	49806	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:18.117142916 CET	49806	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:18.172986031 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.173016071 CET	443	49816	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.173477888 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.174736023 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.174746990 CET	443	49816	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.175503016 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.175513983 CET	443	49817	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:18.175836086 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.175947905 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.175957918 CET	443	49817	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:18.186871052 CET	49818	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:18.187200069 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.187282085 CET	443	49819	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.187366962 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.188762903 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.188796043 CET	443	49819	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.207429886 CET	80	49806	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:18.207564116 CET	49806	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:18.277766943 CET	80	49818	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:18.278031111 CET	49818	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:18.370358944 CET	443	49817	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:18.370471954 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.386709929 CET	443	49816	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.386785030 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.388468027 CET	443	49819	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.388559103 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.691333055 CET	49818	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:18.695806980 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.695836067 CET	443	49817	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:18.696814060 CET	443	49817	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:18.700525999 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.700540066 CET	443	49816	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.700588942 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.700862885 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.700926065 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.701123953 CET	49817	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:18.701208115 CET	443	49816	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.701498985 CET	49816	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.703778028 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.703834057 CET	443	49819	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.703870058 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.704030037 CET	443	49819	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:18.704090118 CET	49819	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:18.781423092 CET	80	49818	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:18.782341957 CET	80	49818	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:18.826627016 CET	49818	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.117794037 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.118838072 CET	49818	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.131068945 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.131108046 CET	443	49831	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:19.143188000 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.144623995 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.144637108 CET	443	49831	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:19.208930969 CET	80	49818	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.209027052 CET	49818	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.210675001 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.210777044 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.210961103 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.235444069 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.235486984 CET	443	49832	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.235711098 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.236206055 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.236222029 CET	443	49832	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.303628922 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.304775000 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.347524881 CET	443	49831	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:19.347563028 CET	443	49831	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:19.347599030 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.351780891 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.351794004 CET	443	49831	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:19.351876974 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.352129936 CET	443	49831	34.117.188.166	192.168.2.7
Nov 19, 2024 22:12:19.352199078 CET	49831	443	192.168.2.7	34.117.188.166
Nov 19, 2024 22:12:19.359453917 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.444922924 CET	443	49832	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.447592020 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.450653076 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.450659990 CET	443	49832	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.451255083 CET	443	49832	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.453917980 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.453917980 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.454174042 CET	443	49832	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.455327988 CET	49832	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.694708109 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.694746971 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.701541901 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.701735020 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.701744080 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.783196926 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.787894964 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.873378038 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.875197887 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.875600100 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.881980896 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.895226002 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.895267010 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.895348072 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.898478985 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.898485899 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.899275064 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.900722027 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.900813103 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.900909901 CET	443	49839	34.160.144.191	192.168.2.7
Nov 19, 2024 22:12:19.901129007 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.901129007 CET	49839	443	192.168.2.7	34.160.144.191
Nov 19, 2024 22:12:19.929528952 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:19.965873003 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:19.967225075 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:20.021287918 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:20.501914024 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:20.502509117 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:20.593221903 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:20.596163988 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:20.638542891 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:20.638711929 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:20.898792028 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:20.990101099 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:21.039747000 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:22.835390091 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:22.929563999 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:22.976521015 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:23.007643938 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.007672071 CET	443	49877	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:23.010421991 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.012948990 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.012962103 CET	443	49877	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:23.014867067 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:23.107145071 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:23.161377907 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:23.216322899 CET	443	49877	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:23.216476917 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.221486092 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.221491098 CET	443	49877	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:23.221622944 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.221745014 CET	443	49877	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:23.221817970 CET	49877	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:23.572259903 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:23.667376995 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:23.716233015 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:23.978051901 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:23.978097916 CET	443	49889	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:23.978168964 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:23.978260994 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:23.978276014 CET	443	49889	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:24.114991903 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:24.115061045 CET	443	49891	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:24.115540028 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:24.116864920 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:24.116892099 CET	443	49891	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:24.176657915 CET	443	49889	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:24.177105904 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:24.179558992 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:24.179584980 CET	443	49889	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:24.180094957 CET	443	49889	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:24.181191921 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:24.181258917 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:24.181375027 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:24.181382895 CET	443	49889	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:24.182363987 CET	49889	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:24.316425085 CET	443	49891	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:24.316518068 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:24.320054054 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:24.320089102 CET	443	49891	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:24.320132971 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:24.320374966 CET	443	49891	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:24.320523977 CET	49891	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.270015001 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.472745895 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.566906929 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:27.567832947 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.567866087 CET	443	49911	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.568185091 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.569590092 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.569605112 CET	443	49911	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.569731951 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.616560936 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.660654068 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:27.716900110 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.763715982 CET	443	49911	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.763794899 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.767944098 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.767952919 CET	443	49911	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.768032074 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.768474102 CET	443	49911	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.771040916 CET	49911	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.809156895 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.809803963 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.811008930 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.811073065 CET	443	49914	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.811846972 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.813165903 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:27.813199997 CET	443	49914	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:27.888077021 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:27.888098001 CET	443	49916	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:27.888360977 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:27.889667988 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:27.889679909 CET	443	49916	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:27.900221109 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:27.905600071 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:27.955200911 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:27.955224037 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:28.004045010 CET	443	49914	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:28.004133940 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:28.008672953 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:28.008687973 CET	443	49914	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:28.008759975 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:28.008874893 CET	443	49914	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:28.008924007 CET	49914	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:28.081918955 CET	443	49916	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:28.081998110 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:29.296230078 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:29.298696041 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:29.298713923 CET	443	49916	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:29.298772097 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:29.298962116 CET	443	49916	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:29.303076982 CET	49916	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:29.388016939 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:29.443947077 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:29.473889112 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:29.567296028 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:29.622381926 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:29.739691019 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:29.739716053 CET	443	49937	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:29.741472006 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:29.742897987 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:29.742912054 CET	443	49937	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:29.914237976 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:29.934115887 CET	443	49937	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:29.934287071 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:29.954720020 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:29.954744101 CET	443	49937	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:29.954813957 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:29.955184937 CET	443	49937	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:29.956351042 CET	49937	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:30.010349989 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:30.061383009 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:30.109882116 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:30.203769922 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:30.231137991 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:30.235709906 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:30.235737085 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:30.235918999 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:30.236104012 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:30.236119032 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:30.246315956 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:30.322783947 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:30.377799988 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:30.428251982 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:30.435353041 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:30.446885109 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:30.446918964 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:32.458538055 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:32.458554983 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:32.459009886 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:32.461811066 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:32.461896896 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:32.462054968 CET	443	49943	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:32.462579966 CET	49943	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:33.202688932 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:33.296993017 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:33.355338097 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:33.796643019 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.796698093 CET	443	49981	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.801690102 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.801798105 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.801826954 CET	443	49981	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.808526039 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.808556080 CET	443	49982	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.810528040 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.810554028 CET	443	49983	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.812874079 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.813110113 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.813147068 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.813179016 CET	443	49982	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.814517975 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.814548016 CET	443	49983	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.816899061 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:33.908231020 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:33.957117081 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:33.993376017 CET	443	49981	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.993469000 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.996419907 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:33.996427059 CET	443	49981	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:33.997209072 CET	443	49981	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.006860971 CET	443	49983	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.006958961 CET	443	49982	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.007004023 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.007042885 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.019613981 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.019630909 CET	443	49982	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.020078897 CET	443	49982	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.022196054 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.022258997 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.022624969 CET	443	49981	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.023025036 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.023040056 CET	443	49983	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.023097992 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.023230076 CET	443	49983	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.023663998 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.023830891 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.024034023 CET	443	49982	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.025226116 CET	49981	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.025226116 CET	49983	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.025238037 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.025238037 CET	49982	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.354988098 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:34.358040094 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.358093023 CET	443	49989	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.358230114 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.359626055 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.359643936 CET	443	49989	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.448977947 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:34.451870918 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:34.489732027 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:34.543265104 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:34.551806927 CET	443	49989	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.551882029 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.556339025 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.556350946 CET	443	49989	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.556431055 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.556624889 CET	443	49989	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:34.556689024 CET	49989	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:34.590009928 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:35.670315027 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:35.764225960 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:35.766123056 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.766247034 CET	443	50003	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:35.766386032 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.767724991 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.767740011 CET	443	50003	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:35.809187889 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:35.888591051 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:35.955308914 CET	443	50003	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:35.955394030 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.959892035 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.959896088 CET	443	50003	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:35.959985971 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.960091114 CET	443	50003	34.120.208.123	192.168.2.7
Nov 19, 2024 22:12:35.960148096 CET	50003	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:12:35.980246067 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:36.025412083 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:36.695077896 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:36.789016008 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:36.792120934 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:36.843359947 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:36.884428978 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:36.928045988 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:40.158617020 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.158668995 CET	443	50004	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:40.159029961 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.160379887 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.160396099 CET	443	50004	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:40.362092972 CET	443	50004	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:40.362164974 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.367117882 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.367127895 CET	443	50004	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:40.367203951 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.367432117 CET	443	50004	34.107.243.93	192.168.2.7
Nov 19, 2024 22:12:40.368012905 CET	50004	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:12:40.369951963 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:40.464247942 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:40.467242002 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:40.507105112 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:40.558089972 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:40.599309921 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:44.916479111 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:44.916515112 CET	443	50005	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:44.918755054 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:44.918893099 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:44.918905973 CET	443	50005	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:44.966435909 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:44.966435909 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:44.966532946 CET	443	50006	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:44.966547966 CET	443	50007	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:44.969300985 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:44.969300985 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:44.970962048 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:44.970962048 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:44.970999956 CET	443	50006	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:44.971018076 CET	443	50007	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.050407887 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.050491095 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.050604105 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.054373980 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.054410934 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.059408903 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.059501886 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.059700966 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.061162949 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.061199903 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.106331110 CET	443	50005	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.106508970 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.109602928 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.109612942 CET	443	50005	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.109942913 CET	443	50005	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.111722946 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.111722946 CET	50005	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.119375944 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.159694910 CET	443	50006	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:45.160711050 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:45.164226055 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:45.164227009 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:45.164252996 CET	443	50006	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:45.164452076 CET	443	50006	35.190.72.216	192.168.2.7
Nov 19, 2024 22:12:45.164762974 CET	50006	443	192.168.2.7	35.190.72.216
Nov 19, 2024 22:12:45.169704914 CET	443	50007	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.169874907 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.173027992 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.173044920 CET	443	50007	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.173464060 CET	443	50007	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.174983978 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.174983978 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.175221920 CET	443	50007	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.175451994 CET	50007	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.175539970 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.175575018 CET	443	50010	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.175820112 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.175820112 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.175857067 CET	443	50010	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.213357925 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.218390942 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.253027916 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.254982948 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.256295919 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.260015965 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.260016918 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.260066032 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.260102987 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.260106087 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.260497093 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.260740042 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.263358116 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.267334938 CET	443	50008	151.101.129.91	192.168.2.7
Nov 19, 2024 22:12:45.267781973 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.267782927 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.267827988 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.267834902 CET	50008	443	192.168.2.7	151.101.129.91
Nov 19, 2024 22:12:45.268018007 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.276774883 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.276797056 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.277010918 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.277021885 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.277029037 CET	443	50009	35.201.103.21	192.168.2.7
Nov 19, 2024 22:12:45.277350903 CET	50009	443	192.168.2.7	35.201.103.21
Nov 19, 2024 22:12:45.280929089 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.280989885 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.281158924 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.281346083 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.281367064 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.282989979 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.283051014 CET	443	50012	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.283354044 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.284329891 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.284373999 CET	443	50012	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.285335064 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.285376072 CET	443	50013	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.285725117 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.285725117 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.285790920 CET	443	50013	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.286839962 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.288840055 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.288866997 CET	443	50014	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.289061069 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.289372921 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.289383888 CET	443	50014	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.309655905 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.355360985 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.363354921 CET	443	50010	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.363775015 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.366796017 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.366807938 CET	443	50010	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.367120981 CET	443	50010	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.368830919 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.368830919 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.368993044 CET	443	50010	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.370583057 CET	50010	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.382072926 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.384954929 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.437139034 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.469546080 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.469691038 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.471283913 CET	443	50012	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.471359015 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.474046946 CET	443	50013	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.474100113 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.474113941 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.474157095 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.474459887 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.474795103 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.474802971 CET	443	50012	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.475179911 CET	443	50012	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.476083040 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.477379084 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.477397919 CET	443	50013	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.477608919 CET	443	50013	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.478013992 CET	443	50014	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.478774071 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.481466055 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.481471062 CET	443	50014	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.481787920 CET	443	50014	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.483341932 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.483876944 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.483913898 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.483923912 CET	443	50011	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.485313892 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.485313892 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.485549927 CET	443	50012	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.485613108 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.485613108 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.485760927 CET	443	50013	35.244.181.201	192.168.2.7
Nov 19, 2024 22:12:45.487660885 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.487660885 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.487833977 CET	443	50014	34.149.100.209	192.168.2.7
Nov 19, 2024 22:12:45.490467072 CET	50012	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.490490913 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.490490913 CET	50014	443	192.168.2.7	34.149.100.209
Nov 19, 2024 22:12:45.490508080 CET	50013	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.490622997 CET	50011	443	192.168.2.7	35.244.181.201
Nov 19, 2024 22:12:45.495564938 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.521661997 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.591284037 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.594726086 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.637583017 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:45.689572096 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.700077057 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:45.753492117 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:55.597592115 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:55.690656900 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:12:55.720042944 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:12:55.810353041 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:00.475811958 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.475899935 CET	443	50016	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:00.476175070 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.477662086 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.477699995 CET	443	50016	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:00.665716887 CET	443	50016	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:00.668618917 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.672622919 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.672669888 CET	443	50016	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:00.672766924 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.672890902 CET	443	50016	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:00.674165010 CET	50016	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:00.675780058 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:00.768522978 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:00.769509077 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:00.772229910 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:00.813008070 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:00.862555981 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:00.863502026 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:00.913182020 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:10.779503107 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:10.864198923 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:10.872425079 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:10.954579115 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:14.576659918 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.576765060 CET	443	50018	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.576864004 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.576984882 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.577011108 CET	443	50018	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.586930990 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.586996078 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.587156057 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.587321043 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.587337017 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.589056015 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.589103937 CET	443	50020	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.590830088 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.590974092 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.590989113 CET	443	50020	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.596328974 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.596369982 CET	443	50021	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.601444960 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.601468086 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.602186918 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.602190018 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.602318048 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.602333069 CET	443	50021	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.602458000 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.602475882 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.604490042 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.604506016 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:14.605493069 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.605623960 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:14.605638027 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.789942980 CET	443	50018	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.790164948 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.793811083 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.793823957 CET	443	50018	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.794140100 CET	443	50018	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.796504021 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.796627045 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.796664000 CET	443	50018	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.797122955 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.797158003 CET	443	50024	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.800307035 CET	50018	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.800337076 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.800633907 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.800642967 CET	443	50024	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.803981066 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:17.818686008 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.818800926 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.819639921 CET	443	50020	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.820605040 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.821604967 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.821779966 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.821790934 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.822174072 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.824212074 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.824328899 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.824476957 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.824752092 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.824774027 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.828263044 CET	443	50021	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.831320047 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.831335068 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.831638098 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.834023952 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.834032059 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.835340977 CET	443	50023	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.837285995 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837305069 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837352991 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837377071 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837377071 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837429047 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837430000 CET	50023	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837430000 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.837438107 CET	443	50020	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.838124037 CET	443	50020	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.839943886 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.839960098 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.840198994 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.842318058 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.842341900 CET	443	50021	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.842662096 CET	443	50021	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.844530106 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.844549894 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.844835997 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.845551968 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.845561981 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.851135969 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.851389885 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.851516962 CET	443	50020	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.852972984 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.852982998 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.853101969 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.853135109 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.853157997 CET	443	50021	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.853172064 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.853193045 CET	443	50019	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.854266882 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.854381084 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.854403973 CET	443	50022	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.854882002 CET	50021	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.854882002 CET	50020	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.854914904 CET	50019	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.854943991 CET	50022	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.897173882 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:17.898209095 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:17.901340961 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:17.947557926 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:17.988548994 CET	443	50024	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.988620043 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.991637945 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:17.991879940 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.991889000 CET	443	50024	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.992239952 CET	443	50024	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.992502928 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:17.994715929 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.994806051 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:17.994934082 CET	443	50024	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:17.997450113 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:18.000183105 CET	50024	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:18.038100004 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:18.038136959 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:18.038189888 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:18.041765928 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:18.041779995 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:18.042093039 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:18.044593096 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:18.044722080 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:18.044801950 CET	443	50025	34.120.208.123	192.168.2.7
Nov 19, 2024 22:13:18.044851065 CET	50025	443	192.168.2.7	34.120.208.123
Nov 19, 2024 22:13:18.047765970 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:18.091244936 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:18.094871044 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:18.132431984 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:18.185847044 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:18.232790947 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:22.531692028 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:22.625896931 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:22.628516912 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:22.676866055 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:22.719535112 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:22.761549950 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:32.628551960 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:32.721826077 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:32.728838921 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:32.819092989 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:41.027331114 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.027370930 CET	443	50027	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:41.027437925 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.028912067 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.028920889 CET	443	50027	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:41.215806961 CET	443	50027	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:41.216074944 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.222105026 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.222129107 CET	443	50027	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:41.222253084 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.222366095 CET	443	50027	34.107.243.93	192.168.2.7
Nov 19, 2024 22:13:41.222512007 CET	50027	443	192.168.2.7	34.107.243.93
Nov 19, 2024 22:13:41.226610899 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:41.319299936 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:41.320363998 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:41.324274063 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:41.369756937 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:41.414999962 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:41.415894985 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:41.470011950 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:51.328850985 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:51.421983957 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:13:51.429168940 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:13:51.519567966 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:14:01.441610098 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:14:01.526220083 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:14:01.531893969 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:14:01.619178057 CET	80	49841	34.107.221.82	192.168.2.7
Nov 19, 2024 22:14:11.539215088 CET	49830	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:14:11.629272938 CET	80	49830	34.107.221.82	192.168.2.7
Nov 19, 2024 22:14:11.639516115 CET	49841	80	192.168.2.7	34.107.221.82
Nov 19, 2024 22:14:11.732352018 CET	80	49841	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 22:12:16.796530008 CET	65365	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:16.889106035 CET	53	65365	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:16.895253897 CET	64324	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:16.987538099 CET	53	64324	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:17.207969904 CET	63237	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:17.221683025 CET	55212	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:17.299536943 CET	53	63237	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:17.358587027 CET	59108	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:17.365938902 CET	64115	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:17.449759007 CET	53	59108	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:17.457740068 CET	53	64115	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:17.471663952 CET	59859	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:17.472023010 CET	58717	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:17.562433958 CET	53	58717	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:17.563421011 CET	53	59859	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.005173922 CET	55816	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.005744934 CET	63836	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.074805021 CET	62616	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.085489988 CET	65371	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.089379072 CET	56732	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.096036911 CET	53	63836	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.097649097 CET	53	55816	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.165087938 CET	53	62616	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.173154116 CET	49575	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.175798893 CET	59368	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.180433989 CET	53	56732	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.187714100 CET	64647	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.264213085 CET	53	49575	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.264853954 CET	63902	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.267821074 CET	53	59368	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.268383026 CET	61466	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.278899908 CET	53	64647	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.279433012 CET	60178	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:18.356261969 CET	53	63902	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.360018969 CET	53	61466	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:18.371077061 CET	53	60178	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:19.131697893 CET	56581	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:19.229957104 CET	53	56581	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:19.235594034 CET	62480	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:19.327073097 CET	53	62480	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:19.346537113 CET	56453	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:19.437803030 CET	53	56453	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:20.671364069 CET	54308	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:20.951524019 CET	53	64190	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:21.527636051 CET	51109	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:21.618563890 CET	53	51109	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:21.619594097 CET	56462	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:21.711891890 CET	53	56462	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:21.712574005 CET	58082	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:21.805326939 CET	53	58082	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:22.456211090 CET	58433	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:22.547035933 CET	53	58433	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:22.548321962 CET	52568	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:22.638561964 CET	53	52568	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:22.639115095 CET	56447	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:22.729589939 CET	53	56447	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:23.887451887 CET	63323	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:23.980103016 CET	53	63323	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:24.115134001 CET	50895	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:24.206387997 CET	53	50895	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:24.215668917 CET	55535	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:24.306694984 CET	53	55535	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:27.796490908 CET	65059	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:27.808933973 CET	57565	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:27.886821032 CET	53	65059	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:27.888251066 CET	65059	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:27.978482008 CET	53	65059	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:27.979063988 CET	59007	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:28.069566011 CET	53	59007	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:29.738595963 CET	54873	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:29.829652071 CET	53	54873	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:29.832901001 CET	54710	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:29.924211979 CET	53	54710	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:33.797123909 CET	53220	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:33.888778925 CET	53	53220	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.659594059 CET	61427	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.659853935 CET	60205	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.660074949 CET	64664	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.750848055 CET	53	61427	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.750893116 CET	53	64664	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.751328945 CET	53	60205	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.751828909 CET	50307	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.753437996 CET	53118	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.754061937 CET	61327	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.842506886 CET	53	50307	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.845510006 CET	53	61327	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.845788002 CET	53	53118	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.854418039 CET	50940	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.854753971 CET	49232	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.854770899 CET	58931	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.945082903 CET	53	58931	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.945149899 CET	53	49232	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:35.945735931 CET	62201	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.945779085 CET	53378	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:35.946000099 CET	53	50940	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:36.036353111 CET	53	53378	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:36.036647081 CET	53	62201	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:36.298084021 CET	50960	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:36.298204899 CET	59862	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:36.388407946 CET	53	59862	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:36.389102936 CET	61861	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:36.389744997 CET	53	50960	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:36.390311003 CET	51509	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:36.480657101 CET	53	51509	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:36.481095076 CET	53	61861	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:40.158935070 CET	57310	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:40.250017881 CET	53	57310	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:44.918370008 CET	60794	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:44.955358982 CET	60844	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:44.967386961 CET	50750	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:45.010706902 CET	53	60794	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.031454086 CET	54321	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:45.049107075 CET	53	60844	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.050601006 CET	56995	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:45.058680058 CET	53	50750	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.059695959 CET	50179	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:45.122786045 CET	53	54321	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.145697117 CET	53	56995	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.146240950 CET	50874	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:45.151767015 CET	53	50179	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.152818918 CET	50706	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:12:45.237445116 CET	53	50874	1.1.1.1	192.168.2.7
Nov 19, 2024 22:12:45.247241020 CET	53	50706	1.1.1.1	192.168.2.7
Nov 19, 2024 22:13:00.383692026 CET	64437	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:13:00.474791050 CET	53	64437	1.1.1.1	192.168.2.7
Nov 19, 2024 22:13:00.475966930 CET	56030	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:13:00.567137957 CET	53	56030	1.1.1.1	192.168.2.7
Nov 19, 2024 22:13:00.676358938 CET	57098	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:13:16.673820972 CET	61183	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:13:16.764111996 CET	53	61183	1.1.1.1	192.168.2.7
Nov 19, 2024 22:13:40.934524059 CET	60927	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:13:41.025986910 CET	53	60927	1.1.1.1	192.168.2.7
Nov 19, 2024 22:13:41.029033899 CET	51221	53	192.168.2.7	1.1.1.1
Nov 19, 2024 22:13:41.120533943 CET	53	51221	1.1.1.1	192.168.2.7
Nov 19, 2024 22:13:41.226440907 CET	54907	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 22:12:16.796530008 CET	192.168.2.7	1.1.1.1	0xf811	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:16.895253897 CET	192.168.2.7	1.1.1.1	0x8484	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:17.207969904 CET	192.168.2.7	1.1.1.1	0x54be	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.221683025 CET	192.168.2.7	1.1.1.1	0x955b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.358587027 CET	192.168.2.7	1.1.1.1	0xca32	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.365938902 CET	192.168.2.7	1.1.1.1	0x5e8f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.471663952 CET	192.168.2.7	1.1.1.1	0x5275	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:17.472023010 CET	192.168.2.7	1.1.1.1	0x8f7e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:18.005173922 CET	192.168.2.7	1.1.1.1	0xc840	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.005744934 CET	192.168.2.7	1.1.1.1	0x962a	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.074805021 CET	192.168.2.7	1.1.1.1	0x54fd	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.085489988 CET	192.168.2.7	1.1.1.1	0xfe8a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.089379072 CET	192.168.2.7	1.1.1.1	0xcc1d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.173154116 CET	192.168.2.7	1.1.1.1	0x6652	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.175798893 CET	192.168.2.7	1.1.1.1	0x7788	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.187714100 CET	192.168.2.7	1.1.1.1	0x8a2c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.264853954 CET	192.168.2.7	1.1.1.1	0x8bb9	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:18.268383026 CET	192.168.2.7	1.1.1.1	0xc9c0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:18.279433012 CET	192.168.2.7	1.1.1.1	0x7579	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:19.131697893 CET	192.168.2.7	1.1.1.1	0xd0ca	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:19.235594034 CET	192.168.2.7	1.1.1.1	0x217	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:19.346537113 CET	192.168.2.7	1.1.1.1	0xc835	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:20.671364069 CET	192.168.2.7	1.1.1.1	0x76ea	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:21.527636051 CET	192.168.2.7	1.1.1.1	0x584b	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:21.619594097 CET	192.168.2.7	1.1.1.1	0x9fb2	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:21.712574005 CET	192.168.2.7	1.1.1.1	0x2729	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:22.456211090 CET	192.168.2.7	1.1.1.1	0xe5b8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:22.548321962 CET	192.168.2.7	1.1.1.1	0x40a1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:22.639115095 CET	192.168.2.7	1.1.1.1	0xecb2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:23.887451887 CET	192.168.2.7	1.1.1.1	0xe837	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:24.115134001 CET	192.168.2.7	1.1.1.1	0x45d3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:24.215668917 CET	192.168.2.7	1.1.1.1	0x1452	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:27.796490908 CET	192.168.2.7	1.1.1.1	0x4d62	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.808933973 CET	192.168.2.7	1.1.1.1	0xd24f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.888251066 CET	192.168.2.7	1.1.1.1	0xed32	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.979063988 CET	192.168.2.7	1.1.1.1	0x86d6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:29.738595963 CET	192.168.2.7	1.1.1.1	0xa7d4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:29.832901001 CET	192.168.2.7	1.1.1.1	0xa51b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:33.797123909 CET	192.168.2.7	1.1.1.1	0x7fae	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:35.659594059 CET	192.168.2.7	1.1.1.1	0x1b3d	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.659853935 CET	192.168.2.7	1.1.1.1	0x2bdc	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.660074949 CET	192.168.2.7	1.1.1.1	0xbd9d	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.751828909 CET	192.168.2.7	1.1.1.1	0xd6e2	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.753437996 CET	192.168.2.7	1.1.1.1	0xd1c2	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.754061937 CET	192.168.2.7	1.1.1.1	0x8772	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.854418039 CET	192.168.2.7	1.1.1.1	0xbce2	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 19, 2024 22:12:35.854753971 CET	192.168.2.7	1.1.1.1	0x79e2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:35.854770899 CET	192.168.2.7	1.1.1.1	0xaa23	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:35.945735931 CET	192.168.2.7	1.1.1.1	0xed3f	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.945779085 CET	192.168.2.7	1.1.1.1	0x62a2	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.298084021 CET	192.168.2.7	1.1.1.1	0x99a9	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.298204899 CET	192.168.2.7	1.1.1.1	0x36c9	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.389102936 CET	192.168.2.7	1.1.1.1	0xab53	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:36.390311003 CET	192.168.2.7	1.1.1.1	0xd143	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:40.158935070 CET	192.168.2.7	1.1.1.1	0xf905	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:12:44.918370008 CET	192.168.2.7	1.1.1.1	0x5a03	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:44.955358982 CET	192.168.2.7	1.1.1.1	0x9c9a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:44.967386961 CET	192.168.2.7	1.1.1.1	0xff12	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.031454086 CET	192.168.2.7	1.1.1.1	0xce66	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 19, 2024 22:12:45.050601006 CET	192.168.2.7	1.1.1.1	0x96b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.059695959 CET	192.168.2.7	1.1.1.1	0x8762	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.146240950 CET	192.168.2.7	1.1.1.1	0xccdb	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 19, 2024 22:12:45.152818918 CET	192.168.2.7	1.1.1.1	0xd09e	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:13:00.383692026 CET	192.168.2.7	1.1.1.1	0x8ed	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:00.475966930 CET	192.168.2.7	1.1.1.1	0x5906	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:13:00.676358938 CET	192.168.2.7	1.1.1.1	0x1682	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:16.673820972 CET	192.168.2.7	1.1.1.1	0x2197	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:13:40.934524059 CET	192.168.2.7	1.1.1.1	0xf158	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:41.029033899 CET	192.168.2.7	1.1.1.1	0x333a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 19, 2024 22:13:41.226440907 CET	192.168.2.7	1.1.1.1	0xa61b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 22:12:06.941983938 CET	1.1.1.1	192.168.2.7	0xd797	No error (0)	shed.dual-low.s-part-0012.t-0009.t-msedge.net	s-part-0012.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:06.941983938 CET	1.1.1.1	192.168.2.7	0xd797	No error (0)	s-part-0012.t-0009.t-msedge.net		13.107.246.40	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:16.787621975 CET	1.1.1.1	192.168.2.7	0x97c1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:16.889106035 CET	1.1.1.1	192.168.2.7	0xf811	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.299536943 CET	1.1.1.1	192.168.2.7	0x54be	No error (0)	youtube.com		142.250.64.78	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.312136889 CET	1.1.1.1	192.168.2.7	0x955b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:17.312136889 CET	1.1.1.1	192.168.2.7	0x955b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.449759007 CET	1.1.1.1	192.168.2.7	0xca32	No error (0)	youtube.com		142.251.32.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.457740068 CET	1.1.1.1	192.168.2.7	0x5e8f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:17.562433958 CET	1.1.1.1	192.168.2.7	0x8f7e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 19, 2024 22:12:17.563421011 CET	1.1.1.1	192.168.2.7	0x5275	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 19, 2024 22:12:18.096036911 CET	1.1.1.1	192.168.2.7	0x962a	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.096036911 CET	1.1.1.1	192.168.2.7	0x962a	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.097649097 CET	1.1.1.1	192.168.2.7	0xc840	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.165087938 CET	1.1.1.1	192.168.2.7	0x54fd	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.166588068 CET	1.1.1.1	192.168.2.7	0x177c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:18.166588068 CET	1.1.1.1	192.168.2.7	0x177c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.176115990 CET	1.1.1.1	192.168.2.7	0xfe8a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:18.176115990 CET	1.1.1.1	192.168.2.7	0xfe8a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.180433989 CET	1.1.1.1	192.168.2.7	0xcc1d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:18.180433989 CET	1.1.1.1	192.168.2.7	0xcc1d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.264213085 CET	1.1.1.1	192.168.2.7	0x6652	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.267821074 CET	1.1.1.1	192.168.2.7	0x7788	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:18.278899908 CET	1.1.1.1	192.168.2.7	0x8a2c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:19.229957104 CET	1.1.1.1	192.168.2.7	0xd0ca	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:19.229957104 CET	1.1.1.1	192.168.2.7	0xd0ca	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:19.229957104 CET	1.1.1.1	192.168.2.7	0xd0ca	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:19.327073097 CET	1.1.1.1	192.168.2.7	0x217	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:19.437803030 CET	1.1.1.1	192.168.2.7	0xc835	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 19, 2024 22:12:20.764250994 CET	1.1.1.1	192.168.2.7	0x76ea	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:21.618563890 CET	1.1.1.1	192.168.2.7	0x584b	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:21.618563890 CET	1.1.1.1	192.168.2.7	0x584b	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:21.618563890 CET	1.1.1.1	192.168.2.7	0x584b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:21.711891890 CET	1.1.1.1	192.168.2.7	0x9fb2	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:22.547035933 CET	1.1.1.1	192.168.2.7	0xe5b8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:22.638561964 CET	1.1.1.1	192.168.2.7	0x40a1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:23.977155924 CET	1.1.1.1	192.168.2.7	0xb394	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:23.977155924 CET	1.1.1.1	192.168.2.7	0xb394	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:24.097173929 CET	1.1.1.1	192.168.2.7	0x3157	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:24.206387997 CET	1.1.1.1	192.168.2.7	0x45d3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.566159964 CET	1.1.1.1	192.168.2.7	0xe157	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.886821032 CET	1.1.1.1	192.168.2.7	0x4d62	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:27.886821032 CET	1.1.1.1	192.168.2.7	0x4d62	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.899590969 CET	1.1.1.1	192.168.2.7	0xd24f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:27.899590969 CET	1.1.1.1	192.168.2.7	0xd24f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:27.978482008 CET	1.1.1.1	192.168.2.7	0xed32	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:29.829652071 CET	1.1.1.1	192.168.2.7	0xa7d4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.81.238	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.251.41.14	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.251.40.206	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		172.217.165.142	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.80.78	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.65.174	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.72.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.80.46	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.251.40.238	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.65.206	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.80.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.80.14	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.251.32.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.64.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.65.238	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750848055 CET	1.1.1.1	192.168.2.7	0x1b3d	No error (0)	youtube-ui.l.google.com		142.250.176.206	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750893116 CET	1.1.1.1	192.168.2.7	0xbd9d	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:35.750893116 CET	1.1.1.1	192.168.2.7	0xbd9d	No error (0)	dyna.wikimedia.org		208.80.154.224	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.751328945 CET	1.1.1.1	192.168.2.7	0x2bdc	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:35.751328945 CET	1.1.1.1	192.168.2.7	0x2bdc	No error (0)	star-mini.c10r.facebook.com		157.240.241.35	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.762511015 CET	1.1.1.1	192.168.2.7	0x8e2d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.64.78	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.251.40.174	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.251.40.206	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.80.14	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.80.46	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.80.78	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.65.238	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.81.238	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.251.40.142	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.72.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.80.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.251.40.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.251.32.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.64.110	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.250.176.206	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.842506886 CET	1.1.1.1	192.168.2.7	0xd6e2	No error (0)	youtube-ui.l.google.com		142.251.35.174	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.845510006 CET	1.1.1.1	192.168.2.7	0x8772	No error (0)	star-mini.c10r.facebook.com		157.240.241.35	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.845788002 CET	1.1.1.1	192.168.2.7	0xd1c2	No error (0)	dyna.wikimedia.org		208.80.154.224	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:35.945082903 CET	1.1.1.1	192.168.2.7	0xaa23	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 19, 2024 22:12:35.945149899 CET	1.1.1.1	192.168.2.7	0x79e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 19, 2024 22:12:35.945149899 CET	1.1.1.1	192.168.2.7	0x79e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 19, 2024 22:12:35.945149899 CET	1.1.1.1	192.168.2.7	0x79e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 19, 2024 22:12:35.945149899 CET	1.1.1.1	192.168.2.7	0x79e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 19, 2024 22:12:35.946000099 CET	1.1.1.1	192.168.2.7	0xbce2	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 19, 2024 22:12:36.036353111 CET	1.1.1.1	192.168.2.7	0x62a2	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.036647081 CET	1.1.1.1	192.168.2.7	0xed3f	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:36.036647081 CET	1.1.1.1	192.168.2.7	0xed3f	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.036647081 CET	1.1.1.1	192.168.2.7	0xed3f	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.036647081 CET	1.1.1.1	192.168.2.7	0xed3f	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.036647081 CET	1.1.1.1	192.168.2.7	0xed3f	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.388407946 CET	1.1.1.1	192.168.2.7	0x36c9	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.388407946 CET	1.1.1.1	192.168.2.7	0x36c9	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.388407946 CET	1.1.1.1	192.168.2.7	0x36c9	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.388407946 CET	1.1.1.1	192.168.2.7	0x36c9	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:36.389744997 CET	1.1.1.1	192.168.2.7	0x99a9	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.006829023 CET	1.1.1.1	192.168.2.7	0xb52c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:45.006829023 CET	1.1.1.1	192.168.2.7	0xb52c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.010706902 CET	1.1.1.1	192.168.2.7	0x5a03	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.049107075 CET	1.1.1.1	192.168.2.7	0x9c9a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.049107075 CET	1.1.1.1	192.168.2.7	0x9c9a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.049107075 CET	1.1.1.1	192.168.2.7	0x9c9a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.049107075 CET	1.1.1.1	192.168.2.7	0x9c9a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.058680058 CET	1.1.1.1	192.168.2.7	0xff12	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:45.058680058 CET	1.1.1.1	192.168.2.7	0xff12	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.145697117 CET	1.1.1.1	192.168.2.7	0x96b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.145697117 CET	1.1.1.1	192.168.2.7	0x96b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.145697117 CET	1.1.1.1	192.168.2.7	0x96b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.145697117 CET	1.1.1.1	192.168.2.7	0x96b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.151767015 CET	1.1.1.1	192.168.2.7	0x8762	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:12:45.237445116 CET	1.1.1.1	192.168.2.7	0xccdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 19, 2024 22:12:45.237445116 CET	1.1.1.1	192.168.2.7	0xccdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 19, 2024 22:12:45.237445116 CET	1.1.1.1	192.168.2.7	0xccdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 19, 2024 22:12:45.237445116 CET	1.1.1.1	192.168.2.7	0xccdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 19, 2024 22:12:45.591859102 CET	1.1.1.1	192.168.2.7	0x5762	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:12:45.591859102 CET	1.1.1.1	192.168.2.7	0x5762	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:13:00.474791050 CET	1.1.1.1	192.168.2.7	0x8ed	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:00.767050982 CET	1.1.1.1	192.168.2.7	0x1682	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:13:00.767050982 CET	1.1.1.1	192.168.2.7	0x1682	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:16.672044992 CET	1.1.1.1	192.168.2.7	0xa461	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:41.025986910 CET	1.1.1.1	192.168.2.7	0xf158	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 19, 2024 22:13:41.317837000 CET	1.1.1.1	192.168.2.7	0xa61b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 22:13:41.317837000 CET	1.1.1.1	192.168.2.7	0xa61b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49806	34.107.221.82	80	424	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 19, 2024 22:12:17.468904018 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:17.560292006 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53243 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49818	34.107.221.82	80	424	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 19, 2024 22:12:18.691333055 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:18.782341957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 08:23:05 GMT Age: 46153 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49830	34.107.221.82	80	424	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 19, 2024 22:12:19.210961103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:19.304775000 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53245 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:19.787894964 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:19.881980896 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53245 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:20.502509117 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:20.596163988 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53246 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:22.835390091 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:22.929563999 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53248 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:23.572259903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:23.667376995 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53249 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:27.472745895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:27.566906929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53253 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:27.809803963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:27.905600071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53253 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:29.473889112 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:29.567296028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53255 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:30.109882116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:30.203769922 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53256 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:33.202688932 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:33.296993017 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53259 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:34.354988098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:34.448977947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53260 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:35.670315027 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:35.764225960 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53261 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:36.695077896 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:36.789016008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53262 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:40.369951963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:40.464247942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53266 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:45.119375944 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:45.213357925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53271 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:45.286839962 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:45.382072926 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53271 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:45.495564938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:12:45.591284037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53271 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:12:55.597592115 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:13:00.675780058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:13:00.769509077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53286 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:13:10.779503107 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:13:17.803981066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:13:17.898209095 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53303 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:13:17.997450113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:13:18.091244936 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53304 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:13:22.531692028 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:13:22.625896931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53308 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:13:32.628551960 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:13:41.226610899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 19, 2024 22:13:41.320363998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 19 Nov 2024 06:24:54 GMT Age: 53327 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 19, 2024 22:13:51.328850985 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:14:01.441610098 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:14:11.539215088 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49841	34.107.221.82	80	424	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 19, 2024 22:12:19.875600100 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:19.967225075 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61081 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:20.501914024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:20.593221903 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61082 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:20.898792028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:20.990101099 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61082 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:23.014867067 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:23.107145071 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61085 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:27.270015001 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:27.569731951 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:27.660654068 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61089 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:27.809156895 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:27.900221109 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61089 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:29.296230078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:29.388016939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61091 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:29.914237976 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:30.010349989 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61091 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:30.231137991 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:30.322783947 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61092 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:33.816899061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:33.908231020 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61095 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:34.451870918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:34.543265104 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61096 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:35.888591051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:35.980246067 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61097 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:36.792120934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:36.884428978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61098 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:40.467242002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:40.558089972 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61102 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:45.218390942 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:45.309655905 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61107 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:45.384954929 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:45.476083040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61107 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:45.594726086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:12:45.700077057 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61107 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:12:55.720042944 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:13:00.772229910 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:13:00.863502026 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61122 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:13:10.864198923 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:13:17.901340961 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:13:17.992502928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61139 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:13:18.094871044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:13:18.185847044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61140 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:13:22.628516912 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:13:22.719535112 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61144 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:13:32.728838921 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:13:41.324274063 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 19, 2024 22:13:41.415894985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 19 Nov 2024 04:14:18 GMT Age: 61163 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 19, 2024 22:13:51.429168940 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:14:01.526220083 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 19, 2024 22:14:11.639516115 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	16:12:09
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf80000
File size:	922'624 bytes
MD5 hash:	8952118CBD8AAC309AF40B7BA020AC8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:12:09
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:12:09
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:12:11
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:12:11
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:12:11
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:12:11
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x190000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:12:12
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	16:12:13
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747d96c5-fa42-4905-9d15-ce93fc205d38} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28e9326ef10 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	16:12:15
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4252 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7623ebff-67b8-4a10-9a75-6288c6d1121d} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28ea3d89d10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	16:12:22
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5084 -prefMapHandle 5072 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {654f39dd-4c75-497d-973f-074fe45c9f11} 424 "\\.\pipe\gecko-crash-server-pipe.424" 28eab432d10 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1558
Total number of Limit Nodes:	63

Executed Functions

Function 00F842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F8430D

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

GetCurrentProcess.KERNEL32(?,0101CB64,00000000,?,?), ref: 00F84422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F84429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F84454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F84466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F84474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F8447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F844A0

Strings

GetNativeSystemInfo, xrefs: 00F84460
kernel32.dll, xrefs: 00F8444F
|O, xrefs: 00FC36F8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 12904b7b921fa18c46b70564d4cacccebe415c38c98ce5cbbd542a5e58239ede
Instruction ID: 38a90a8da0db863c5b5c66729cc340e8fd22759d200e2ca1c94b4b24e50ae988
Opcode Fuzzy Hash: 12904b7b921fa18c46b70564d4cacccebe415c38c98ce5cbbd542a5e58239ede
Instruction Fuzzy Hash: 39A18E7290E3C1CBC731D769B5A17D67FA46F26394B08C89DD4C1A3A0BD23E4908EB61

Function 00F842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F850AA,?,?,00000000,00000000), ref: 00F842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F850AA,?,?,00000000,00000000), ref: 00F842C9
LoadResource.KERNEL32(?,00000000,?,?,00F850AA,?,?,00000000,00000000,?,?,?,?,?,?,00F84F20), ref: 00FC35BE
SizeofResource.KERNEL32(?,00000000,?,?,00F850AA,?,?,00000000,00000000,?,?,?,?,?,?,00F84F20), ref: 00FC35D3
LockResource.KERNEL32(00F850AA,?,?,00F850AA,?,?,00000000,00000000,?,?,?,?,?,?,00F84F20,?), ref: 00FC35E6

Strings

SCRIPT, xrefs: 00F842BF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 64ff2fe03eca32255dc718a5aaf7c79347ba8a4a186fab701f60b3f483871615
Instruction ID: aa5f985ea2aacc98d4b6bd2f0046a72358c3c2509525fcb4112f95d0598032d5
Opcode Fuzzy Hash: 64ff2fe03eca32255dc718a5aaf7c79347ba8a4a186fab701f60b3f483871615
Instruction Fuzzy Hash: F3119A70240306AFE7219B65DD48FA77BB9FBC9B65F108169F44686240DB76E8009730

Function 00FC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F82B6B

Part of subcall function 00F83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01051418,?,00F82E7F,?,?,?,00000000), ref: 00F83A78

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01042224), ref: 00FC2C10
ShellExecuteW.SHELL32(00000000,?,?,01042224), ref: 00FC2C17

Strings

runas, xrefs: 00FC2C0B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7ae2079857211e4e5ab2f747f3ca6fcf51d88c698a54cbe17ff0882512f4e2e4
Instruction ID: d653f8904d9101a01b3b58a7474318c9a0b23d34bb54c2ecbb97cf27ac58e471
Opcode Fuzzy Hash: 7ae2079857211e4e5ab2f747f3ca6fcf51d88c698a54cbe17ff0882512f4e2e4
Instruction Fuzzy Hash: 8611B1316083026BC754FF60DD82AFEBBA4ABD5750F48142DF1C2560A2CF7D9A4AA712

Function 00FED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FED501
Process32FirstW.KERNEL32(00000000,?), ref: 00FED50F
Process32NextW.KERNEL32(00000000,?), ref: 00FED52F
CloseHandle.KERNELBASE(00000000), ref: 00FED5DC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 23d9954d51110ab6f6da5cefea543fd233dfda2ed5aecbea11dd891ebbb9b2c6
Instruction ID: d55b6e465fcc8f5c256daaef89af38031eb4838ba068d128a687a68cb9227e4f
Opcode Fuzzy Hash: 23d9954d51110ab6f6da5cefea543fd233dfda2ed5aecbea11dd891ebbb9b2c6
Instruction Fuzzy Hash: 8C31AD321083419FD300EF54CC85ABFBBE8EF99354F58092DF581821A1EB759A48DB92

Function 00FEDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00FC5222), ref: 00FEDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00FEDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00FEDBEE
FindClose.KERNEL32(00000000), ref: 00FEDBFA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 34c07ac64949e2b52a771a5dba4ce06bab3b74b11692f63f2df17a5b2cdff3b3
Instruction ID: 0d599580e69a3607fb9ba0fa4c236a88c76b9eafd9ac61a814a80bed5c711517
Opcode Fuzzy Hash: 34c07ac64949e2b52a771a5dba4ce06bab3b74b11692f63f2df17a5b2cdff3b3
Instruction Fuzzy Hash: 30F0E5318509105792306B7CAE0D8AA376D9E02374B204702F8BAC24E0EBBD9D64D7D6

Function 00FA4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FB28E9,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002,00000000,?,00FB28E9), ref: 00FA4D09
TerminateProcess.KERNEL32(00000000,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002,00000000,?,00FB28E9), ref: 00FA4D10
ExitProcess.KERNEL32 ref: 00FA4D22

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 23aa5bdedc2df9aca0ee86ef9a7ba309ef1844e712de94e405ae2548e23cd135
Instruction ID: 4b82b29100830642e263bf54a92c55ce078b7543d66783ee61cfa2f0987fcd05
Opcode Fuzzy Hash: 23aa5bdedc2df9aca0ee86ef9a7ba309ef1844e712de94e405ae2548e23cd135
Instruction Fuzzy Hash: 02E0B671480148ABDF21AF54DE09A587B69EF82795B104014FD458A126DB7EEE42EF80

Function 0100AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0100B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100B1D4
_wcslen.LIBCMT ref: 0100B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100B236
_wcslen.LIBCMT ref: 0100B332

Part of subcall function 00FF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FF05C6

_wcslen.LIBCMT ref: 0100B34B
_wcslen.LIBCMT ref: 0100B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0100B3B6
GetLastError.KERNEL32(00000000), ref: 0100B407
CloseHandle.KERNEL32(?), ref: 0100B439
CloseHandle.KERNEL32(00000000), ref: 0100B44A
CloseHandle.KERNEL32(00000000), ref: 0100B45C
CloseHandle.KERNEL32(00000000), ref: 0100B46E
CloseHandle.KERNEL32(?), ref: 0100B4E3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5065a3e329b21652e14a252a03e0cf54a01267295ac7de80be2d7acdef6bb41a
Instruction ID: 3c31b7b2aae2543fcc980e417ec5c27220b2fe0b126ec3d3f9505b5b93180a19
Opcode Fuzzy Hash: 5065a3e329b21652e14a252a03e0cf54a01267295ac7de80be2d7acdef6bb41a
Instruction Fuzzy Hash: 3AF1BE356083409FE725EF28C881B6EBBE5BF85310F18845DF9958B2A2DB35EC04CB52

Function 00F8D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F8D807
timeGetTime.WINMM ref: 00F8DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8DB28
TranslateMessage.USER32(?), ref: 00F8DB7B
DispatchMessageW.USER32(?), ref: 00F8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8DB9F
Sleep.KERNELBASE(0000000A), ref: 00F8DBB1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: b1e990affea3b4e2a2185b218aa0a3df613e50f1159262800e6c50479f46744e
Instruction ID: 300424a6768a53c548dc8abc6ffcf5257ab186694ff02c930c0d0f5ae9b8971f
Opcode Fuzzy Hash: b1e990affea3b4e2a2185b218aa0a3df613e50f1159262800e6c50479f46744e
Instruction Fuzzy Hash: 1442D131A08341EFD738EF24C844BAAB7E1BF95324F18451AE495873D1D779E844EB92

Function 00F82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F82D07
RegisterClassExW.USER32(00000030), ref: 00F82D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F82D42
InitCommonControlsEx.COMCTL32(?), ref: 00F82D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F82D6F
LoadIconW.USER32(000000A9), ref: 00F82D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F82D94

Strings

AutoIt v3 GUI, xrefs: 00F82D23
0, xrefs: 00F82CE9
+, xrefs: 00F82CF0
TaskbarCreated, xrefs: 00F82D37

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 73dc3910db5bf4346e68b3c50d593ea9bd54293e77e3bb9fbd2ba8a552da9a86
Instruction ID: d5d83942dc3b9b88de9ac7ea59ca9590b40f6b78a13d5cf1a17a6140ef4b752c
Opcode Fuzzy Hash: 73dc3910db5bf4346e68b3c50d593ea9bd54293e77e3bb9fbd2ba8a552da9a86
Instruction Fuzzy Hash: 3D212CB5D41308AFEB21DFA4E949BDEBBB4FB08700F00811AF591A7284D7BA8540CF90

Function 00FC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC039A: CreateFileW.KERNELBASE(00000000,00000000,?,00FC0704,?,?,00000000,?,00FC0704,00000000,0000000C), ref: 00FC03B7

GetLastError.KERNEL32 ref: 00FC076F
__dosmaperr.LIBCMT ref: 00FC0776
GetFileType.KERNELBASE(00000000), ref: 00FC0782
GetLastError.KERNEL32 ref: 00FC078C
__dosmaperr.LIBCMT ref: 00FC0795
CloseHandle.KERNEL32(00000000), ref: 00FC07B5
CloseHandle.KERNEL32(?), ref: 00FC08FF
GetLastError.KERNEL32 ref: 00FC0931
__dosmaperr.LIBCMT ref: 00FC0938

Strings

H, xrefs: 00FC08BD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c8be5776c70a8296e35fe0da4a73ceea7e06176a5d3f9c2ace97ed0aa97c6f05
Instruction ID: 974dfee0051af0f0cc729134558bbbb466c683801537f04fb124d52b972f9d13
Opcode Fuzzy Hash: c8be5776c70a8296e35fe0da4a73ceea7e06176a5d3f9c2ace97ed0aa97c6f05
Instruction Fuzzy Hash: 61A12432A002058FDF29AF68D952BAE3BE0AB06320F14015DF8159F3D1DB399D13EB91

Function 00F8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01051418,?,00F82E7F,?,?,?,00000000), ref: 00F83A78

Part of subcall function 00F83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F83379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F8356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FC318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FC31CE
RegCloseKey.ADVAPI32(?), ref: 00FC3210
_wcslen.LIBCMT ref: 00FC3277
_wcslen.LIBCMT ref: 00FC3286

Strings

Include, xrefs: 00FC3184, 00FC31C5
Software\AutoIt v3\AutoIt, xrefs: 00F83560
\, xrefs: 00FC328C
\Include\, xrefs: 00F83527

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d00ab527793a272afd6a24f73a354b871642b69771c75ec7043781b67a5f5e15
Instruction ID: 79d248f83479306a1e87ce68b6ce7963e370d8a589ea8606cc08ddce7ac32814
Opcode Fuzzy Hash: d00ab527793a272afd6a24f73a354b871642b69771c75ec7043781b67a5f5e15
Instruction Fuzzy Hash: B571C071408301DEC724EF25DC829ABBBE8FF85740F40842EF48597166EB79DA48DB51

Function 00F82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F82B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F82B9D
LoadIconW.USER32(00000063), ref: 00F82BB3
LoadIconW.USER32(000000A4), ref: 00F82BC5
LoadIconW.USER32(000000A2), ref: 00F82BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F82BEF
RegisterClassExW.USER32(?), ref: 00F82C40

Part of subcall function 00F82CD4: GetSysColorBrush.USER32(0000000F), ref: 00F82D07
Part of subcall function 00F82CD4: RegisterClassExW.USER32(00000030), ref: 00F82D31
Part of subcall function 00F82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F82D42
Part of subcall function 00F82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F82D5F
Part of subcall function 00F82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F82D6F
Part of subcall function 00F82CD4: LoadIconW.USER32(000000A9), ref: 00F82D85
Part of subcall function 00F82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F82D94

Strings

AutoIt v3, xrefs: 00F82C2F
0, xrefs: 00F82C0F
#, xrefs: 00F82C16

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 48ffe7629b59a491ab79f5381d49dcd3f82e47f80dd4a618efebd869b061ff7d
Instruction ID: 81d070096a9b23d283b9ef94e2d2ca83ad11d51531b0cf14c3c9304978923075
Opcode Fuzzy Hash: 48ffe7629b59a491ab79f5381d49dcd3f82e47f80dd4a618efebd869b061ff7d
Instruction Fuzzy Hash: F1219270E40314AFDB209F95E964B9E7FB9FB08B50F00811AF580A7295D3BE4540DF80

Function 00F83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F8316A,?,?), ref: 00F831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F8316A,?,?), ref: 00F83204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F83227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F8316A,?,?), ref: 00F83232
CreatePopupMenu.USER32 ref: 00F83246
PostQuitMessage.USER32(00000000), ref: 00F83267

Strings

TaskbarCreated, xrefs: 00F8322D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d0deb9ec162f0d84a22ee488a435d36800365c0336c10557809f9ce13bf0b6c5
Instruction ID: 0646e79368db413226137bb0dbf7b9c662a4924c69bd17e086cfcdcf5b2caa11
Opcode Fuzzy Hash: d0deb9ec162f0d84a22ee488a435d36800365c0336c10557809f9ce13bf0b6c5
Instruction Fuzzy Hash: 81411936A40204A6DB243B78DE0EBFE3A29F705F14F044119F982C51A5CBBEDA40B361

Function 00F81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F81459
CoUninitialize.COMBASE ref: 00F814F8
UnregisterHotKey.USER32(?), ref: 00F816DD
DestroyWindow.USER32(?), ref: 00FC24B9
FreeLibrary.KERNEL32(?), ref: 00FC251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FC254B

Strings

close all, xrefs: 00F81454

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: aacd13552da292758ab7c1748f00bf6b3bd61270468cf350e81ddf2dde33909b
Instruction ID: 53c933ea7dec699227fe6ccd032d916c142055779caebb42fc1f7ec93c0258c2
Opcode Fuzzy Hash: aacd13552da292758ab7c1748f00bf6b3bd61270468cf350e81ddf2dde33909b
Instruction Fuzzy Hash: 00D15931B012128FDB29EF14CA9AF69F7A4BF05710F1442ADE44AAB251DB35EC12EF50

Function 00F82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F82C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F82CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F81CAD,?), ref: 00F82CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F81CAD,?), ref: 00F82CCF

Strings

AutoIt v3, xrefs: 00F82C89, 00F82C8E, 00F82C8F
edit, xrefs: 00F82CAC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b1f4a8b02b3e179d19495a59990fac64b14e7f44895faa11db9aeba05a41c3ca
Instruction ID: feea55b2eac88d150bc4f8808101f2d526289e7af2ce5f0d1fcd3f1e2affe7d6
Opcode Fuzzy Hash: b1f4a8b02b3e179d19495a59990fac64b14e7f44895faa11db9aeba05a41c3ca
Instruction Fuzzy Hash: 64F017755803907AEB300713AC18F772EBEE7C6F60B01801AF940A6159C27A4840DBB0

Function 00F83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F83B0F,SwapMouseButtons,00000004,?), ref: 00F83B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F83B0F,SwapMouseButtons,00000004,?), ref: 00F83B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F83B0F,SwapMouseButtons,00000004,?), ref: 00F83B83

Strings

Control Panel\Mouse, xrefs: 00F83B3E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: efdd7aed2ab2f2353f7c80e13119218cbe92b0a3e698429888548ffa43d6a6b9
Instruction ID: a65f6e7493c2edf8a1ddc8f34cb98b9c8e545508924eac055b1e961bf2be41f9
Opcode Fuzzy Hash: efdd7aed2ab2f2353f7c80e13119218cbe92b0a3e698429888548ffa43d6a6b9
Instruction Fuzzy Hash: 02112AB5610208FFDB21DFA5DC48AEEB7B8EF45B94B104459B805D7124E231DF40A760

Function 00F83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FC33A2

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F83A04

Strings

Line: , xrefs: 00FC33EB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 551e892766fbf7965971624e98a6f56961d2dd11cd777cb57bdd46ef7639dde8
Instruction ID: 042d8cd796de7ce947bb403b92dd6f7712e4beaba245ab1f5b7608463343dae6
Opcode Fuzzy Hash: 551e892766fbf7965971624e98a6f56961d2dd11cd777cb57bdd46ef7639dde8
Instruction Fuzzy Hash: 5F31C371908300AAD725FB20DC45BEBB7D8AF44B20F00492EF5D992191EB789649D7C2

Function 00F9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FA0668

Part of subcall function 00FA32A4: RaiseException.KERNEL32(?,?,?,00FA068A,?,01051444,?,?,?,?,?,?,00FA068A,00F81129,01048738,00F81129), ref: 00FA3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FA0685

Strings

Unknown exception, xrefs: 00FA0692

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 411f1b293ee7dd1dad8b9cacdddff0312f3efafd06012f3c7814b3914ddbd8bd
Instruction ID: e187c20728909cf0b6f53f86edd3310ebf0e2aa8bf379a7b66ff9bc9dc911c2c
Opcode Fuzzy Hash: 411f1b293ee7dd1dad8b9cacdddff0312f3efafd06012f3c7814b3914ddbd8bd
Instruction Fuzzy Hash: D3F0F6B4D0020D77CF00F6A5EC86D9E776C6E42364B604536B824D6591EF75EA29F9C0

Function 00F810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F81BF4
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F81BFC
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F81C07
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F81C12
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F81C1A
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F81C22

Part of subcall function 00F81B4A: RegisterWindowMessageW.USER32(00000004,?,00F812C4), ref: 00F81BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F8136A
OleInitialize.OLE32 ref: 00F81388
CloseHandle.KERNEL32(00000000,00000000), ref: 00FC24AB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0ad5d13f6918746004e3f103a835aa9909eb4e865502efd2c44f59e6538867b4
Instruction ID: 1c8cbd04f0e32886a463bc67ecab12275ddd30dfc910f8f0fd4eb3b32c1d0e18
Opcode Fuzzy Hash: 0ad5d13f6918746004e3f103a835aa9909eb4e865502efd2c44f59e6538867b4
Instruction Fuzzy Hash: 4771AAB4901300CFD7A8EF79E5497A73AE5FB48348758962AD4DAC7249EB3E8841CF50

Function 00FEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F83A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FEC259
KillTimer.USER32(?,00000001,?,?), ref: 00FEC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FEC270

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2e84f80e1043cfcc157528b431a628544588261a669b708d58f461bd84f3d535
Instruction ID: 1e3179f413186355dff7fc4fc2935bbd7e24cf249f486d164783062a80720a8a
Opcode Fuzzy Hash: 2e84f80e1043cfcc157528b431a628544588261a669b708d58f461bd84f3d535
Instruction Fuzzy Hash: 4331D571904384AFEB329F758855BEBBBECAF07304F00049EE2DA97241C7785A85DB91

Function 00FB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00FB85CC,?,01048CC8,0000000C), ref: 00FB8704
GetLastError.KERNEL32(?,00FB85CC,?,01048CC8,0000000C), ref: 00FB870E
__dosmaperr.LIBCMT ref: 00FB8739

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 7406001946910b85cd1500d421445c73eaa954fd74579f18a225b8c3c044f13f
Instruction ID: 4a69cb91a14eba7a01a2609fa54900f270d7a3bc67d49ac1d9befad79eec76a7
Opcode Fuzzy Hash: 7406001946910b85cd1500d421445c73eaa954fd74579f18a225b8c3c044f13f
Instruction Fuzzy Hash: 92010832E0566026D6647236E8457EE778F4BC2BB8F3D0119F8148B5D2DEADCC82EE50

Function 00F8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F8DB7B
DispatchMessageW.USER32(?), ref: 00F8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8DB9F
Sleep.KERNELBASE(0000000A), ref: 00F8DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00FD1CC9

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a40d4ed4d0da7a01a62a92b8e2cc7ac49ab9a3fdb848097ab04c45db6555b67e
Instruction ID: 9ebaf98049fc15466bd2818e21d88f306ebeccf8ab20eb5ac78ede709d657625
Opcode Fuzzy Hash: a40d4ed4d0da7a01a62a92b8e2cc7ac49ab9a3fdb848097ab04c45db6555b67e
Instruction Fuzzy Hash: 28F05E30A443409BFB30DB60DC49FEA73ADFF84320F104A19E68A830C0DB799488EB15

Function 00F91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F917F6

Strings

CALL, xrefs: 00F917C6

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 2e01d610eb4b88ef4d14c81ba207c6fcba9c3fe6586bdc728fe8840e48044f4d
Instruction ID: 6ff0ec912a20b1ec4a0a611c0d82a466d6e0ee68dd1f101e3d21e024fd68ad53
Opcode Fuzzy Hash: 2e01d610eb4b88ef4d14c81ba207c6fcba9c3fe6586bdc728fe8840e48044f4d
Instruction Fuzzy Hash: EE227F71A083029FEB14DF14C880B2ABBF2BF85314F19896DF4968B361D775E845EB52

Function 00F82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00FC2C8C

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

Part of subcall function 00F82DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F82DC4

Strings

X, xrefs: 00FC2C5A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 1e4f358f4a5a4e0dfc05959a12b24ca3d36f6f67e30c82da178738dcbe6dc411
Instruction ID: 44dce908f7651b755a205c4bd2b024d2269c44a154509403cbe7f26f1eafac40
Opcode Fuzzy Hash: 1e4f358f4a5a4e0dfc05959a12b24ca3d36f6f67e30c82da178738dcbe6dc411
Instruction Fuzzy Hash: 4321D571E002589FCF45EF94CC4ABEE7BF8AF49714F008059E445E7241DBB89A499FA1

Function 00F83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F83908

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1b10ec98058f83378dfcb12d96a82348a2ffe2d77618f3bf86c99778b981bed2
Instruction ID: c4a3d7be83bf65efd7e48939f1e31e0bb3f689317554144d2fa5bd25c52cd5df
Opcode Fuzzy Hash: 1b10ec98058f83378dfcb12d96a82348a2ffe2d77618f3bf86c99778b981bed2
Instruction Fuzzy Hash: 8B31D271A043019FD720EF24D4857D7BBE8FB49718F00092EF9DA83251E77AAA44DB52

Function 00F9F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F9F661

Part of subcall function 00F8D730: GetInputState.USER32 ref: 00F8D807

Sleep.KERNEL32(00000000), ref: 00FDF2DE

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3a114efe83f9f16e7c5905d400ea6d24da12e8b96b433f93028dfbbc2be9dab9
Instruction ID: 604528e6224176f2aad9112b914c0366cd6d92d261295194de6486d285d8a562
Opcode Fuzzy Hash: 3a114efe83f9f16e7c5905d400ea6d24da12e8b96b433f93028dfbbc2be9dab9
Instruction Fuzzy Hash: 1DF082712802059FD310FF65D945F9ABBE4FF46761F000029E859C7350DB74A800DB90

Function 00F84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E9C
Part of subcall function 00F84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F84EAE
Part of subcall function 00F84E90: FreeLibrary.KERNEL32(00000000,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84EFD

Part of subcall function 00F84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E62
Part of subcall function 00F84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F84E74
Part of subcall function 00F84E59: FreeLibrary.KERNEL32(00000000,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E87

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f692009b25afedaa8af9f0ed7197468ead5d07804e0d85d9cc6f837512375950
Instruction ID: 8041f484ee927a836d98af157fbc8c124fada8c01d57164e2991c13ccf4a656a
Opcode Fuzzy Hash: f692009b25afedaa8af9f0ed7197468ead5d07804e0d85d9cc6f837512375950
Instruction Fuzzy Hash: 9F11E732600206ABDB14FF60DD16FED77A5AF40B14F10842EF582AB1C1EE78EA05B750

Function 00FB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FB8440

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ed5ebf76d8a9af90b40b1dec258d2e075462c471cbd29937c4324f66bac17f9d
Instruction ID: 0212e7d5e6f81c16f339a61135be978fd8eb80603cdf3a5481475bd8cef94823
Opcode Fuzzy Hash: ed5ebf76d8a9af90b40b1dec258d2e075462c471cbd29937c4324f66bac17f9d
Instruction Fuzzy Hash: 3711367590420AEFCB05DF59E941ADA7BF8EF48310F104059F808AB302DA31DA12DBA5

Function 00FB5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB4C7D: RtlAllocateHeap.NTDLL(00000008,00F81129,00000000,?,00FB2E29,00000001,00000364,?,?,?,00FAF2DE,00FB3863,01051444,?,00F9FDF5,?), ref: 00FB4CBE

_free.LIBCMT ref: 00FB506C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 206df735bab9a513a61fba16f6f2f1ae35a0451c98e0f0bdc07a3bdb85f897fb
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B8012B726047056BE3219E569C41A9AFBE8FB89370F25051DE18483280E6346805CA74

Function 00FAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 97bb5ff7ecee07cc22faea9c46d7343a86e6a023f46961d3d18bcd8887521d4c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: FAF0F972920A1496D6313A6A8C05B96339C9F53370F100B15F425926D2DB78D806BDA5

Function 00FB4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F81129,00000000,?,00FB2E29,00000001,00000364,?,?,?,00FAF2DE,00FB3863,01051444,?,00F9FDF5,?), ref: 00FB4CBE

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f8c7015ebbe34e10568783cd3589d6f4dd068c2c39d37cc288f302923bb49959
Instruction ID: 50d0e15fb955cd58c09786bcfbb36372b94b946c31ca3bd48a60ff218655d37b
Opcode Fuzzy Hash: f8c7015ebbe34e10568783cd3589d6f4dd068c2c39d37cc288f302923bb49959
Instruction Fuzzy Hash: C3F0BBB1A4222466DB215E639E05BD63F88AF41B71B144121F819D6587CA75FC007AE0

Function 00FB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 74627743b728c0f963cd8448a97da7e6ecb3fb7fbce3b8dc8d1978dc8c244030
Instruction ID: a04801fc7220bf998e1c736739ad691228c9ca51de54e52b18ff6e001965532c
Opcode Fuzzy Hash: 74627743b728c0f963cd8448a97da7e6ecb3fb7fbce3b8dc8d1978dc8c244030
Instruction Fuzzy Hash: A3E065339C122456E73126AB9C05BDB3649AB837B0F160131BC5596581DB65ED01BAE2

Function 00F84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84F6D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b90d21600e4e769dbff1b083d5b8fc4e99aa20bef79d27e04741b0804063a439
Instruction ID: 8607a2851e6903b5d48d6e0481b800493de3a34b762cac89ee2bab788df3cfa4
Opcode Fuzzy Hash: b90d21600e4e769dbff1b083d5b8fc4e99aa20bef79d27e04741b0804063a439
Instruction Fuzzy Hash: 94F03071505752CFDB34AF64D890952B7F4BF15329315897EE2EA83610C735A844EF10

Function 01012A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01012A66

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 179d769de4daa17c2c78e15b70b376adc6ae50b8c8ac780f49bf02fbe14339c2
Instruction ID: a45347216b9a849245e1bc8ea5e552681326b0c1e34e4577f55399f82f66554e
Opcode Fuzzy Hash: 179d769de4daa17c2c78e15b70b376adc6ae50b8c8ac780f49bf02fbe14339c2
Instruction Fuzzy Hash: 72E0DF3238011AABDB20EA30DC848FE735CEF10294710043AAC56C2100DB3CA98182A0

Function 00F830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F8314E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2d333135e1f89b59c6e397ce18ef0bfb1169db904d0ce586de9872ba570a5851
Instruction ID: d9ac66f3e98750b3029a6b88d8f4daca50ca46a2316e9c74a6bfa818508704ca
Opcode Fuzzy Hash: 2d333135e1f89b59c6e397ce18ef0bfb1169db904d0ce586de9872ba570a5851
Instruction Fuzzy Hash: D9F03770914314AFEB629B64DC497D67BBCA701708F0040E5A58996186DB795788CF51

Function 00F82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F82DC4

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c6c25453d3abbee3853cfc316ff2562e3cd00def56df69a9ba1daa73e78ec1f1
Instruction ID: 7012801d61863544b43c13b2e1e16cd4abb7a24864fe8e040baa06d54fdaf51d
Opcode Fuzzy Hash: c6c25453d3abbee3853cfc316ff2562e3cd00def56df69a9ba1daa73e78ec1f1
Instruction Fuzzy Hash: 3EE0CD72A002245BC720A2589C06FDA77DDDFC8790F040075FD09D7249D968ED80C650

Function 00F82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F83908

Part of subcall function 00F8D730: GetInputState.USER32 ref: 00F8D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F82B6B

Part of subcall function 00F830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F8314E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5f69aae12fc4f87ba69313645939c81bbd22a4a07912ef11d1b139ecd9226653
Instruction ID: 3724066fc4bcae389635eb117a008e55edc9856b8c18d2860cb8138042e41019
Opcode Fuzzy Hash: 5f69aae12fc4f87ba69313645939c81bbd22a4a07912ef11d1b139ecd9226653
Instruction Fuzzy Hash: 33E0263270420402CB04BA30AC125FEB7499BD1715F40153EF182431A3CF3D8A455312

Function 00FC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00FC0704,?,?,00000000,?,00FC0704,00000000,0000000C), ref: 00FC03B7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 88d31a7e5d9ca6577482e50b9f89efbfbc7c37d1cf7eb5a13d16653cb3a1cb4c
Instruction ID: 9c99fbf8e01f57a00665e180f82f7a82d333e44b74690c49b1ea22e0fb3bb293
Opcode Fuzzy Hash: 88d31a7e5d9ca6577482e50b9f89efbfbc7c37d1cf7eb5a13d16653cb3a1cb4c
Instruction Fuzzy Hash: D6D06C3208010DBBDF128E84DD06EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00F81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F81CBC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ddc327cbbf62277b35462813116ef2a01625780a707a15467ea4bd39fc5a74bc
Instruction ID: 0fc413930a67bb63f0c712521115a991b35dc58422fb401ab07faff080373e37
Opcode Fuzzy Hash: ddc327cbbf62277b35462813116ef2a01625780a707a15467ea4bd39fc5a74bc
Instruction Fuzzy Hash: 7AC092362C0304EFF3358A80BD5AF127765A748B04F048401F68AA95DBC3BB58A0EB50

Non-executed Functions

Function 01019576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0101961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0101969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010196C9
SendMessageW.USER32 ref: 010196F2
GetKeyState.USER32(00000011), ref: 0101978B
GetKeyState.USER32(00000009), ref: 01019798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010197AE
GetKeyState.USER32(00000010), ref: 010197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010197E9
SendMessageW.USER32 ref: 01019810
SendMessageW.USER32(?,00001030,?,01017E95), ref: 01019918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0101992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01019941
SetCapture.USER32(?), ref: 0101994A
ClientToScreen.USER32(?,?), ref: 010199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010199D6
ReleaseCapture.USER32 ref: 010199E1
GetCursorPos.USER32(?), ref: 01019A19
ScreenToClient.USER32(?,?), ref: 01019A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01019A80
SendMessageW.USER32 ref: 01019AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01019AEB
SendMessageW.USER32 ref: 01019B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01019B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01019B4A
GetCursorPos.USER32(?), ref: 01019B68
ScreenToClient.USER32(?,?), ref: 01019B75
GetParent.USER32(?), ref: 01019B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01019BFA
SendMessageW.USER32 ref: 01019C2B
ClientToScreen.USER32(?,?), ref: 01019C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01019CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01019CDE
SendMessageW.USER32 ref: 01019D01
ClientToScreen.USER32(?,?), ref: 01019D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01019D82

Part of subcall function 00F99944: GetWindowLongW.USER32(?,000000EB), ref: 00F99952

GetWindowLongW.USER32(?,000000F0), ref: 01019E05

Strings

@GUI_DRAGID, xrefs: 0101997D
F, xrefs: 01019D07

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 79789d8b52c73b9d20af4f5ca74c82b59099b35047876a0d8a8972f4ac4bcea0
Instruction ID: f1f004d9c3f4dede7e08de20b2a6df452b2b9001c541dd746c8e1ee9929d84cf
Opcode Fuzzy Hash: 79789d8b52c73b9d20af4f5ca74c82b59099b35047876a0d8a8972f4ac4bcea0
Instruction Fuzzy Hash: 67429E74204201EFE725CF28C954BAABBE5FF8D318F040A59F6D9872A9D739E850CB51

Function 01014873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01014908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01014927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0101494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0101495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0101497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01014A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01014A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01014A7E
IsMenu.USER32(?), ref: 01014A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01014AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01014B20
GetWindowLongW.USER32(?,000000F0), ref: 01014B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01014BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01014C82
wsprintfW.USER32 ref: 01014CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01014CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01014CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01014D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01014D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01014D5A

Strings

%d/%02d/%02d, xrefs: 01014CA8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 525859d3d86b78febbdd36e163be6fe0dff3fd1ce18946bc789072aca42c0fed
Instruction ID: 2141afe8a7c5a7c9884f9266afdf2c5f798eb87d177e64b4c345c466460d498f
Opcode Fuzzy Hash: 525859d3d86b78febbdd36e163be6fe0dff3fd1ce18946bc789072aca42c0fed
Instruction Fuzzy Hash: 9212FE71600214ABFB259F28CC49FAE7BF8EF49310F044169F596EB2A9DB7C9940CB50

Function 00F9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F9F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FDF474
IsIconic.USER32(00000000), ref: 00FDF47D
ShowWindow.USER32(00000000,00000009), ref: 00FDF48A
SetForegroundWindow.USER32(00000000), ref: 00FDF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FDF4AA
GetCurrentThreadId.KERNEL32 ref: 00FDF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FDF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FDF4DE
SetForegroundWindow.USER32(00000000), ref: 00FDF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF4F6
keybd_event.USER32(00000012,00000000), ref: 00FDF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF50B
keybd_event.USER32(00000012,00000000), ref: 00FDF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF519
keybd_event.USER32(00000012,00000000), ref: 00FDF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF528
keybd_event.USER32(00000012,00000000), ref: 00FDF52D
SetForegroundWindow.USER32(00000000), ref: 00FDF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FDF557

Strings

Shell_TrayWnd, xrefs: 00FDF46F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 80a6a2413b1192965df89e4d55fe0b57a36f6b4f241db460f8dcb5d1228664b0
Instruction ID: c0f38487ef9cfa0e8ed56893209b0680c08c56b3d943799413d69386ddf89f3d
Opcode Fuzzy Hash: 80a6a2413b1192965df89e4d55fe0b57a36f6b4f241db460f8dcb5d1228664b0
Instruction Fuzzy Hash: F9316371A80318BBFB316BB55D4AFBF7E6DEB44B50F140426FA01E61C1C6B99D00AB60

Function 00FE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE170D
Part of subcall function 00FE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE173A
Part of subcall function 00FE16C3: GetLastError.KERNEL32 ref: 00FE174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FE1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FE12A8
CloseHandle.KERNEL32(?), ref: 00FE12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FE12D1
GetProcessWindowStation.USER32 ref: 00FE12EA
SetProcessWindowStation.USER32(00000000), ref: 00FE12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FE1310

Part of subcall function 00FE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE11FC), ref: 00FE10D4
Part of subcall function 00FE10BF: CloseHandle.KERNEL32(?,?,00FE11FC), ref: 00FE10E9

Strings

, xrefs: 00FE125A
winsta0, xrefs: 00FE12CC
default, xrefs: 00FE130B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 5bb92cc3dae3cd833b9953f4888ab8cc7f079e0286ea00ee4a2aecbefa8fb4f5
Instruction ID: 7822606a9a59c617cf62c8e8993360185e70a375b05e706ef008e61dd2f23fb3
Opcode Fuzzy Hash: 5bb92cc3dae3cd833b9953f4888ab8cc7f079e0286ea00ee4a2aecbefa8fb4f5
Instruction Fuzzy Hash: 76819B71900288AFEF21DFA6DD49FEE7BB9FF09710F144029F910A6290C7799954DB20

Function 00FE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE1114
Part of subcall function 00FE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1120
Part of subcall function 00FE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE112F
Part of subcall function 00FE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1136
Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE0C00
GetLengthSid.ADVAPI32(?), ref: 00FE0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00FE0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE0C6D
GetLengthSid.ADVAPI32(?), ref: 00FE0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FE0C8C
HeapAlloc.KERNEL32(00000000), ref: 00FE0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE0CB4
CopySid.ADVAPI32(00000000), ref: 00FE0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0D45
HeapFree.KERNEL32(00000000), ref: 00FE0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0D55
HeapFree.KERNEL32(00000000), ref: 00FE0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0D65
HeapFree.KERNEL32(00000000), ref: 00FE0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE0D78
HeapFree.KERNEL32(00000000), ref: 00FE0D7F

Part of subcall function 00FE1193: GetProcessHeap.KERNEL32(00000008,00FE0BB1,?,00000000,?,00FE0BB1,?), ref: 00FE11A1
Part of subcall function 00FE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FE0BB1,?), ref: 00FE11A8
Part of subcall function 00FE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FE0BB1,?), ref: 00FE11B7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c114183ee01a1fc84ab71b7c8e915e946de487a93ce797539c9b27fdee4c588f
Instruction ID: 095ef7bd2f74d6a35f453689c1e72660a49af774a58b3e2375d69a5049692bc2
Opcode Fuzzy Hash: c114183ee01a1fc84ab71b7c8e915e946de487a93ce797539c9b27fdee4c588f
Instruction Fuzzy Hash: 3871AA72D0024AABEF20DFA6DD44FAEBBB8BF05310F144115F944A6180DBB9EA41DB60

Function 00FFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0101CC08), ref: 00FFEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FFEB37
GetClipboardData.USER32(0000000D), ref: 00FFEB43
CloseClipboard.USER32 ref: 00FFEB4F
GlobalLock.KERNEL32(00000000), ref: 00FFEB87
CloseClipboard.USER32 ref: 00FFEB91
GlobalUnlock.KERNEL32(00000000), ref: 00FFEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FFEBC9
GetClipboardData.USER32(00000001), ref: 00FFEBD1
GlobalLock.KERNEL32(00000000), ref: 00FFEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00FFEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FFEC38
GetClipboardData.USER32(0000000F), ref: 00FFEC44
GlobalLock.KERNEL32(00000000), ref: 00FFEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FFEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FFEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FFECD2
GlobalUnlock.KERNEL32(00000000), ref: 00FFECF3
CountClipboardFormats.USER32 ref: 00FFED14
CloseClipboard.USER32 ref: 00FFED59

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8217df78b6c5c626e2281e3c1767ac2f54e4e38afaefd106410684651fd41b72
Instruction ID: b80b59059cfab0a9cb5accf5ab1790fd48a32f72e0c0b410639402a8ebf297c8
Opcode Fuzzy Hash: 8217df78b6c5c626e2281e3c1767ac2f54e4e38afaefd106410684651fd41b72
Instruction Fuzzy Hash: 3A6112342443069FE310EF64C884F7A77A4AF84714F04441DF686972B2CB3AED05EB62

Function 00FF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FF69BE
FindClose.KERNEL32(00000000), ref: 00FF6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FF6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FF6A75

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FF6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FF6ADF

Strings

%4d, xrefs: 00FF6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00FF6B6A
%03d, xrefs: 00FF6DA2
%02d, xrefs: 00FF6C00, 00FF6C0A, 00FF6C5A, 00FF6CAA, 00FF6CFA, 00FF6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FF6B32

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f04bf2753f9bd1a2f20253e43240214df209550da420017663f2dd86bb192642
Instruction ID: 9d8de147c66decd8a27181df1db58bfa53b5919109a5076cf5e25dc3a1215d75
Opcode Fuzzy Hash: f04bf2753f9bd1a2f20253e43240214df209550da420017663f2dd86bb192642
Instruction Fuzzy Hash: 69D15EB2508304ABC710EBA0CC81EBBB7E8AF99704F44491DF685D7151EB79DA48DB62

Function 00FF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00FF9663
GetFileAttributesW.KERNEL32(?), ref: 00FF96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FF96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FF96D3
FindClose.KERNEL32(00000000), ref: 00FF96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FF96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF974A
SetCurrentDirectoryW.KERNEL32(01046B7C), ref: 00FF9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF9772
FindClose.KERNEL32(00000000), ref: 00FF977F
FindClose.KERNEL32(00000000), ref: 00FF978F

Strings

*.*, xrefs: 00FF96F5

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 108790fb4c47d913bc974738a01d276cab6f6f8d462324881c361b277d59955e
Instruction ID: 33b076069e0410ff33f18de72369e8e2e0d140a3c340f0d0621ef3a503d5f2f1
Opcode Fuzzy Hash: 108790fb4c47d913bc974738a01d276cab6f6f8d462324881c361b277d59955e
Instruction Fuzzy Hash: 8531F57294421D6BDF24AEB4DD48BEE37AC9F49331F104065FA54E20A0EBB9DE409B54

Function 00FF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00FF97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FF9819
FindClose.KERNEL32(00000000), ref: 00FF9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FF9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF9890
SetCurrentDirectoryW.KERNEL32(01046B7C), ref: 00FF98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF98B8
FindClose.KERNEL32(00000000), ref: 00FF98C5
FindClose.KERNEL32(00000000), ref: 00FF98D5

Part of subcall function 00FEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FEDB00

Strings

*.*, xrefs: 00FF983B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b1bdd2bebdbbb6c727659bc1943ae2df7556d17cf48eb993e6542923ee25d67a
Instruction ID: 5ddc3185a55a1a01d492db5e3837e69969710523f48a2edb20f1bdfe29790969
Opcode Fuzzy Hash: b1bdd2bebdbbb6c727659bc1943ae2df7556d17cf48eb993e6542923ee25d67a
Instruction Fuzzy Hash: C331F87294421D6BEB20EEB5DC48BEE37AC9F46370F104165F954A20A0DBB9DE84DB50

Function 0100BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0100BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0100BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0100C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0100C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0100C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0100C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0100C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0100C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0100C382
RegCloseKey.ADVAPI32(00000000), ref: 0100C38F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c92f186f59a8a5a79e949e7be9e54f65e392c21d81edc2032632ab21cf08de2a
Instruction ID: 712fe86e239b14a436435566a8158458732b1f617467dd96596a611a70e33df1
Opcode Fuzzy Hash: c92f186f59a8a5a79e949e7be9e54f65e392c21d81edc2032632ab21cf08de2a
Instruction Fuzzy Hash: 2F027F706042009FE715DF28C995E2ABBE5EF49308F18C59DF88ACB2A2DB35ED45CB51

Function 00FF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FF8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FF8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FF8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FF838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8395

Strings

*.*, xrefs: 00FF839B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 39a4939ce043b01b4f047a017ec6c6599fdf109d9d907c338f6c18fb87a377b4
Instruction ID: 331dc158cfbd4b369ba4dded3fb780fd62264b92c7c17a5e3abd7ec47685a432
Opcode Fuzzy Hash: 39a4939ce043b01b4f047a017ec6c6599fdf109d9d907c338f6c18fb87a377b4
Instruction Fuzzy Hash: 73618CB25083099FD710EF60C8409AFB3E8FF89754F04491DFA8987261DB39E946DB92

Function 00FED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

Part of subcall function 00FEE199: GetFileAttributesW.KERNEL32(?,00FECF95), ref: 00FEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FED1DD
MoveFileW.KERNEL32(?,?), ref: 00FED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FED237

Part of subcall function 00FED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FED21C,?,?), ref: 00FED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00FED253
FindClose.KERNEL32(00000000), ref: 00FED264

Strings

\*.*, xrefs: 00FED0CD, 00FED0D6, 00FED0EB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: df3fbbbb8ee9a36aa71bb7e93a07a860189006870a5bb399a09bcf99a77b5ded
Instruction ID: f6b0a9522b046c44d20818828841207fa439455288b95eab0cb131f7df752341
Opcode Fuzzy Hash: df3fbbbb8ee9a36aa71bb7e93a07a860189006870a5bb399a09bcf99a77b5ded
Instruction Fuzzy Hash: EA615631C05149ABDF05EBE1CE929FDB7B9AF15300F244165E40277191EB39AF09EB61

Function 00FFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FFED91
EmptyClipboard.USER32 ref: 00FFED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FFEDAC
CloseClipboard.USER32 ref: 00FFEEA3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 36db50d4ce16a2daa6abccec85616ade9448784e54b508ea8f0e43e77a1932c8
Instruction ID: 0bea8ada9971136d488faaae341e181fe3f3f9122cf06b632932f4645b856971
Opcode Fuzzy Hash: 36db50d4ce16a2daa6abccec85616ade9448784e54b508ea8f0e43e77a1932c8
Instruction Fuzzy Hash: 7D41C135604211AFE320DF15E448B69BBE1FF44328F15C499E5998B672C73AFC41DB90

Function 00FEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE170D
Part of subcall function 00FE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE173A
Part of subcall function 00FE16C3: GetLastError.KERNEL32 ref: 00FE174A

ExitWindowsEx.USER32(?,00000000), ref: 00FEE932

Strings

SeShutdownPrivilege, xrefs: 00FEE902
, xrefs: 00FEE920
, xrefs: 00FEE95C
@, xrefs: 00FEE925

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6a7e9f8ae7cb9e5b75593a871e48feba9cc8ec401e5d1cd529d1efa307ad9b63
Instruction ID: 8fd5c4e51abb982f0b489b816c1602998146c71bdd324d409f63a50a3a38bd20
Opcode Fuzzy Hash: 6a7e9f8ae7cb9e5b75593a871e48feba9cc8ec401e5d1cd529d1efa307ad9b63
Instruction Fuzzy Hash: 20012673A10251ABFB2466B7BC86FBF729CA714750F140421F803E71C3E6A99C44A2A0

Function 01001204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01001276
WSAGetLastError.WSOCK32 ref: 01001283
bind.WSOCK32(00000000,?,00000010), ref: 010012BA
WSAGetLastError.WSOCK32 ref: 010012C5
closesocket.WSOCK32(00000000), ref: 010012F4
listen.WSOCK32(00000000,00000005), ref: 01001303
WSAGetLastError.WSOCK32 ref: 0100130D
closesocket.WSOCK32(00000000), ref: 0100133C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 29dfcb2c66ab28ba7f356da492fec83c4bf3d00c165141c311ea17c46a9f87c0
Instruction ID: be08931626b3d6221c4973d68b248d083a5d4976e61c0d56e600f1a92eceade6
Opcode Fuzzy Hash: 29dfcb2c66ab28ba7f356da492fec83c4bf3d00c165141c311ea17c46a9f87c0
Instruction Fuzzy Hash: AB4193716001009FE721DF68C5C4B69BBE6BF46328F188198E9968F2D6C775EC81CBE1

Function 00FBB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FBB9D4
_free.LIBCMT ref: 00FBB9F8
_free.LIBCMT ref: 00FBBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01023700), ref: 00FBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0105121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01051270,000000FF,?,0000003F,00000000,?), ref: 00FBBC36
_free.LIBCMT ref: 00FBBD4B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 5b330eac7b943fdf0f1be95d84ba2169c986b3608fe180ea48414edf7a84d1a5
Instruction ID: 6535c77eff686746b876fd563d8ba682eee9f6f8bc8b101bab57b03cc592e85c
Opcode Fuzzy Hash: 5b330eac7b943fdf0f1be95d84ba2169c986b3608fe180ea48414edf7a84d1a5
Instruction Fuzzy Hash: 96C11671D04204AFDB20DF6A8C41BEA7BB8EF45360F18419AE894D7245EBB99E41EF50

Function 00FED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

Part of subcall function 00FEE199: GetFileAttributesW.KERNEL32(?,00FECF95), ref: 00FEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FED481
FindClose.KERNEL32(00000000), ref: 00FED498
FindClose.KERNEL32(00000000), ref: 00FED4A1

Strings

\*.*, xrefs: 00FED3F2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4a3295960f439e27241fc4a3ef4dc7a482698b1f296fe96ee1490196ceb8b50f
Instruction ID: a2e6e954b4c15d7ba0c7005597947ae1563753be8789da84c3025dcda4b0b044
Opcode Fuzzy Hash: 4a3295960f439e27241fc4a3ef4dc7a482698b1f296fe96ee1490196ceb8b50f
Instruction Fuzzy Hash: 8F319C7140C3819BD315FF60CC918EFB7A8AEA1314F444A1EF4D592191EB29EA09EB63

Function 00FBE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FBE645

Strings

1#IND, xrefs: 00FBF83D
1#INF, xrefs: 00FBF852
1#QNAN, xrefs: 00FBF84B
1#SNAN, xrefs: 00FBF844

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e7f23c3e1a17e2384c0b954b7f8098cae8f5ac4f1f7dd1887de0f86c6e063253
Instruction ID: 56c1d86500d01dc25ba68757f0f06af223031b88e0c9c353394ff418435dad7b
Opcode Fuzzy Hash: e7f23c3e1a17e2384c0b954b7f8098cae8f5ac4f1f7dd1887de0f86c6e063253
Instruction Fuzzy Hash: 47C26D72E046288FDB25CF29DD407EAB7B5EB49314F1441EAD84DE7240E778AE85AF40

Function 00FF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF64DC
CoInitialize.OLE32(00000000), ref: 00FF6639
CoCreateInstance.OLE32(0101FCF8,00000000,00000001,0101FB68,?), ref: 00FF6650
CoUninitialize.OLE32 ref: 00FF68D4

Strings

.lnk, xrefs: 00FF64BA, 00FF6524, 00FF65E0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 80776119f69e38a5578ab1b180ccb483f94575dab0e592536c587436f633140b
Instruction ID: 9f10a3ed2b95f4f2c6f0a0687d6519a986adf32a04db5fa09e3492ef685a793b
Opcode Fuzzy Hash: 80776119f69e38a5578ab1b180ccb483f94575dab0e592536c587436f633140b
Instruction Fuzzy Hash: ADD16A715083059FD304EF24C881AABB7E8FF94304F14491DF595DB2A1EB75E909CBA2

Function 00FF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FF9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FF9C8B

Part of subcall function 00FF3874: GetInputState.USER32 ref: 00FF38CB
Part of subcall function 00FF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FF9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FF9C75

Strings

*.*, xrefs: 00FF9B5D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 51e7e13adbc35db87c6b745c553023c3638b528c593b0c6a37e7a3ba7db31aa0
Instruction ID: 5613db3ce1f8a5f54da6bd23340f4c29164c472718e8a05245090a8270ef3371
Opcode Fuzzy Hash: 51e7e13adbc35db87c6b745c553023c3638b528c593b0c6a37e7a3ba7db31aa0
Instruction Fuzzy Hash: DA41BE71D4820E9BDF14EF64C985BEE7BB4EF05310F104055E505A21A0EB759E84DF60

Function 00F9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F99A4E
GetSysColor.USER32(0000000F), ref: 00F99B23
SetBkColor.GDI32(?,00000000), ref: 00F99B36

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0b9065a93d1816b62cbeb66104d74e17d682a8742acc8f10180e5a8bcd648abc
Instruction ID: 9103645620ce5b9e871f63adb665c41f67720cecfb10b7eeeeabc43f7af46f98
Opcode Fuzzy Hash: 0b9065a93d1816b62cbeb66104d74e17d682a8742acc8f10180e5a8bcd648abc
Instruction Fuzzy Hash: 3DA1FA7150C604AFFB34AA2C8C58FBB365EDB86360B1A410EF541CA695DA6EDD01F372

Function 01001806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0100307A
Part of subcall function 0100304E: _wcslen.LIBCMT ref: 0100309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0100185D
WSAGetLastError.WSOCK32 ref: 01001884
bind.WSOCK32(00000000,?,00000010), ref: 010018DB
WSAGetLastError.WSOCK32 ref: 010018E6
closesocket.WSOCK32(00000000), ref: 01001915

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 31b768694c71a35524b1f689e87990d00b49a7fe24946bdf90be81873cc37790
Instruction ID: f203eb763a0288c535512a773453be9bb5327879befd5a257cd6e3e32f733837
Opcode Fuzzy Hash: 31b768694c71a35524b1f689e87990d00b49a7fe24946bdf90be81873cc37790
Instruction Fuzzy Hash: 89519571A00200AFEB11EF28C886F6A77E5AF44718F088098FA559F3C3C779ED4187A1

Function 01011C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01011CC0
IsWindowEnabled.USER32 ref: 01011CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01011CDB
IsIconic.USER32 ref: 01011CE9
IsZoomed.USER32 ref: 01011CF7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0317c1784c6b5e2f6fa04e89c234bd7b9244cef1035d243a56ec4b250ed88ea5
Instruction ID: 95079b010ed8a66e5bf647284397b15586c10667554cce975b28c165d72ce5e7
Opcode Fuzzy Hash: 0317c1784c6b5e2f6fa04e89c234bd7b9244cef1035d243a56ec4b250ed88ea5
Instruction Fuzzy Hash: 0D21D6317402055FE7249F2AD844B5A7BE5EF85314F188098E9C58B349CB7AD842CB90

Function 00F88060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F8843C
VUUU, xrefs: 00FC5DF0
ERCP, xrefs: 00F8813C
VUUU, xrefs: 00F883E8
VUUU, xrefs: 00F883FA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 641cac1e1c5ee8a50196abd5a921a55444231b63ab78daf497d90142825a77c6
Instruction ID: d89dc3d1044fa1ca9e301385f14992cdaf946413bbb31922715091d28a106e2e
Opcode Fuzzy Hash: 641cac1e1c5ee8a50196abd5a921a55444231b63ab78daf497d90142825a77c6
Instruction Fuzzy Hash: 25A2A071E0421ACBDF24DF58C941BEDB7B1BF44760F6481A9D815AB284EB309D82EF90

Function 00FEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FEAAAC
SetKeyboardState.USER32(00000080), ref: 00FEAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FEAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FEAB88

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1d566e63cf73b40f0029a10bab0e43a6959d68520312011f114e6cf8d0c66ead
Instruction ID: d0d75afd907344d5e93e8c032a3c3d9c6f0d45767b6f753e21409622d03281b6
Opcode Fuzzy Hash: 1d566e63cf73b40f0029a10bab0e43a6959d68520312011f114e6cf8d0c66ead
Instruction Fuzzy Hash: 13314C30E40788AEFF31CA66CC05BFA77A7ABD4320F04421AF181961D1D379A985E762

Function 00FFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FFCE89
GetLastError.KERNEL32(?,00000000), ref: 00FFCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FFCEFE

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4a40dfcff6e69c7d8d59dde08d108ea58c161fd0a999a27e145b9b71eab3afc0
Instruction ID: da63ef188d640900a0872a5926e4d428025bcfb437cf65d8e850305bf6ad5847
Opcode Fuzzy Hash: 4a40dfcff6e69c7d8d59dde08d108ea58c161fd0a999a27e145b9b71eab3afc0
Instruction Fuzzy Hash: EB21B0B194031D9BE730CFA5CA44BB6B7F8EF40364F10441EE646D2161E779EE04ABA0

Function 00FE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FE82AA

Strings

|, xrefs: 00FE82DA
(, xrefs: 00FE82F0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6224d42ac77967f5481448e1c06a2edaa5f864fc5ac5b7acfdb3ff7d57c46ab7
Instruction ID: b4dc651ff13669e8b634df90736a7390035862c7ea75e6caecfa3ea9120fe890
Opcode Fuzzy Hash: 6224d42ac77967f5481448e1c06a2edaa5f864fc5ac5b7acfdb3ff7d57c46ab7
Instruction Fuzzy Hash: 19324775A007459FCB28DF59C480A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB40

Function 00FF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FF5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FF5D17
FindClose.KERNEL32(?), ref: 00FF5D5F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 78dab110f6b76f6b030cb3eecaa218ea8a86f8d7f1604d424ea49d3055218ac4
Instruction ID: 7b895b9643592f75649051f3b2ded59260384c0cccc8e6140959963dca4ae3ee
Opcode Fuzzy Hash: 78dab110f6b76f6b030cb3eecaa218ea8a86f8d7f1604d424ea49d3055218ac4
Instruction Fuzzy Hash: FD51CC74A046059FD714DF28C884EAAB7E4FF49324F14855DEA9A8B3A1CB34EC04DBA1

Function 00FB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FB271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FB2731

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 13e8f4d17cb920f90993846203afdcbe2895cedbf231cdb36cf668357aa2b04e
Instruction ID: e09a0f15edf20fd56f8c19a61f9dcc2fbc8196898090778de3d7713b5064a1e3
Opcode Fuzzy Hash: 13e8f4d17cb920f90993846203afdcbe2895cedbf231cdb36cf668357aa2b04e
Instruction Fuzzy Hash: AA31D5749412189BCB61DF68DD887DCB7B8AF08310F5041EAE41CA7260EB389F819F44

Function 00FF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FF5238
SetErrorMode.KERNEL32(00000000), ref: 00FF52A1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6db8e17a659eaeb628c962cd7a604aeb53e51643bf2f83b1adcb3e90e2af94f6
Instruction ID: f6dcbdc0b686f2825e760c6f69607ada916084d856cbb2991b2f616ecbd55ca1
Opcode Fuzzy Hash: 6db8e17a659eaeb628c962cd7a604aeb53e51643bf2f83b1adcb3e90e2af94f6
Instruction Fuzzy Hash: 21317C75A00508DFDB00EF54D884EADBBB4FF09318F088099E945AB366CB36E845DBA0

Function 00FE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA0668
Part of subcall function 00F9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE173A
GetLastError.KERNEL32 ref: 00FE174A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3f20bf432f464148df21bf2841fbd64c0e5ebf8fd537cbec8a469d4c8934614c
Instruction ID: 0de1eca9048ca2dd535cd65c08c03f22a326566040876521247e31f9f3c46d65
Opcode Fuzzy Hash: 3f20bf432f464148df21bf2841fbd64c0e5ebf8fd537cbec8a469d4c8934614c
Instruction Fuzzy Hash: 9711C1B2410304AFE7289F55DC86D6AB7B9FB44714B20852EF05697241EB74FC45CB20

Function 00FED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00FED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FED650

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8f892b139236003c66182384ccd061bb829d80c472532a7573832a8bfe0c848c
Instruction ID: 3fb616359afde7194fdba0a1b1ef60d9541c1d1137ad704aeba2127fe2f05073
Opcode Fuzzy Hash: 8f892b139236003c66182384ccd061bb829d80c472532a7573832a8bfe0c848c
Instruction Fuzzy Hash: 4E118E71E41228BFEB208F95DC44FAFBBBCEB45B60F108111F914E7280C2744A018BA1

Function 00FE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FE168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FE16A1
FreeSid.ADVAPI32(?), ref: 00FE16B1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b002b257f0940228bd0430cf250c0cf0b9c2bbc94ab7d9e2c9b3b916bbcf7274
Instruction ID: 72a167002108dd58ef546c54b4a8d5ed403749ffe4ed4a1cb9886f5bd2aeadc0
Opcode Fuzzy Hash: b002b257f0940228bd0430cf250c0cf0b9c2bbc94ab7d9e2c9b3b916bbcf7274
Instruction Fuzzy Hash: CFF0F471990309BBEB10DFE49989EAEBBBCFB08604F504565E501E2181E779EA449B50

Function 00FBC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00FBC36C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 710280c23ed95c60372dd41a5140e37c3e2818149edba69225372673297e6ee3
Instruction ID: 812a05c16062e9317dcf2672ff04def296f1aeeb45f4eee693f2edea221a61cb
Opcode Fuzzy Hash: 710280c23ed95c60372dd41a5140e37c3e2818149edba69225372673297e6ee3
Instruction Fuzzy Hash: 1C412976900219AFCB20DFBACC89EFB77B8EB84314F544269F905D7180E6719E819F90

Function 00FEE3B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FEE3ED

Strings

DOWN, xrefs: 00FEE3D2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 614b21e141481e3681356a749ec7a46f787dbe2fec23898701cbad001974ea7e
Instruction ID: 47245b5fdb0449533cb0dd222d2b0f75744e851cf64f0c5242f682fecc63457f
Opcode Fuzzy Hash: 614b21e141481e3681356a749ec7a46f787dbe2fec23898701cbad001974ea7e
Instruction Fuzzy Hash: 5DE086A2ADC7213DB92414167C06DF6174CCB12235B11121AF8409A0C0DE985C81B168

Function 00FDD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FDD28C

Strings

X64, xrefs: 00FDD2A8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d1f17499b4ce001367d8f3606767d13579e97ac17f8cc11d50981b8df7c19178
Instruction ID: 9b78ce9e738f26aba207ca0170177be806af13cbcd57b0b88bf1411293544aee
Opcode Fuzzy Hash: d1f17499b4ce001367d8f3606767d13579e97ac17f8cc11d50981b8df7c19178
Instruction Fuzzy Hash: 89D0C9B580111DEADF94CA90D888ED9B37CBB04345F100152F146A2100D73495489F10

Function 00FACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 7a60ae0b20a1f8a43d8d1f57a2acb9f4993804403e14513e7dce5f1c7fc49723
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 11021CB2E002199FDF14CFA9C9806ADFBF1EF49324F254169D919E7380D731A9419BD4

Function 00FF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FF6918
FindClose.KERNEL32(00000000), ref: 00FF6961

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7c07a526c52888b8c67124f56c5a9b000985fa968578ddff8c82727136a12bce
Instruction ID: 2a2a29c89dadf045f18d1bb1b6962fd72db6d10b194d883923da96e2acbbaf4d
Opcode Fuzzy Hash: 7c07a526c52888b8c67124f56c5a9b000985fa968578ddff8c82727136a12bce
Instruction Fuzzy Hash: 9911D0316042009FD720DF29D885A26BBE0FF84328F14C699F5698F2A2CB74EC05CBA0

Function 00FF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01004891,?,?,00000035,?), ref: 00FF37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01004891,?,?,00000035,?), ref: 00FF37F4

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6d0328797abfcd395174a652e1254fa2f386b4166fa5bd54d8b4d63121c44525
Instruction ID: 254d594ef1ab17731f98d7b98d1146db81ee6937b535566103b569819a4ca6d4
Opcode Fuzzy Hash: 6d0328797abfcd395174a652e1254fa2f386b4166fa5bd54d8b4d63121c44525
Instruction Fuzzy Hash: 45F0E5B1A082292AE72026669D4DFEB3AAEEFC5761F000165F609D2285D9A89944D7B0

Function 00FEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FEB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00FEB270

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e459d9e0c9ce4bb276d7bb7d1caf165877304c247ae059cdd50835f2fcb146a8
Instruction ID: cd0bce7a0c9bd1f69ef8da148716c7774603da7f3e6e2b3efab38527ae99ba19
Opcode Fuzzy Hash: e459d9e0c9ce4bb276d7bb7d1caf165877304c247ae059cdd50835f2fcb146a8
Instruction Fuzzy Hash: 09F01D7184428DABEB169FA1C805BAE7BB4FF04315F008009F955A5195C37DC6119F94

Function 00FE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE11FC), ref: 00FE10D4
CloseHandle.KERNEL32(?,?,00FE11FC), ref: 00FE10E9

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f477090c69c03e55d1c1bdf2bc98ab744ce64149e55d5e7b134f79a92e12b80d
Instruction ID: 86ccd352f7a9a5764b14497cd39ef491aa4048153848d1f6d33b5ce52e9564a1
Opcode Fuzzy Hash: f477090c69c03e55d1c1bdf2bc98ab744ce64149e55d5e7b134f79a92e12b80d
Instruction Fuzzy Hash: A0E04F32004610AFFB352B11FC05E7377A9FB04320B20882EF5A5804B5DB66AC90EB10

Function 00F8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00FD0C40

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 1c42a8772bdd302da0ecd828956454cf9b75065cbd660a3077581472dbc44423
Instruction ID: 412f2497cd9b662bf61fde28fe38a52ee5652b42844d2a339f4a5f738095e094
Opcode Fuzzy Hash: 1c42a8772bdd302da0ecd828956454cf9b75065cbd660a3077581472dbc44423
Instruction Fuzzy Hash: A0329D31D00218DBDF14EF90D881BEDB7B6FF05318F14805AE906AB292DB75AD45EBA0

Function 00FB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FB6766,?,?,00000008,?,?,00FBFEFE,00000000), ref: 00FB6998

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e2a4e6a4811c37bde8ec7841697a0aa3d42abf74d73757593f7ff4b1242e4ca2
Instruction ID: d576bbe58957bd3a3f4180470d625df3fa9b551514cb15cef0c66948dfbe0922
Opcode Fuzzy Hash: e2a4e6a4811c37bde8ec7841697a0aa3d42abf74d73757593f7ff4b1242e4ca2
Instruction Fuzzy Hash: C2B15E32510608DFDB15CF29C486BA57BE0FF45364F258658E899CF2A1C739D991DF40

Function 00F9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00FD851F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8c1e9e21c3fad749d90d774351f82a031dd20f29cb1c5e7d1270256d15f1b068
Instruction ID: 1e448f7fe35604c6953696ad406f16d4d7fc6a884f32f570d404c57a74c1254a
Opcode Fuzzy Hash: 8c1e9e21c3fad749d90d774351f82a031dd20f29cb1c5e7d1270256d15f1b068
Instruction Fuzzy Hash: 29125F71D00229DBDF24CF58D980BEEB7B5FF48710F14819AE849EB255DB349A81EB90

Function 00FFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FFEABD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 674b2da9009484c91348af48db0175b50404e69be54b510c90a3c5336eebde63
Instruction ID: a849259927ecbc294154d6052b48320138b84b56d91c8dba8a978de1a83b9baf
Opcode Fuzzy Hash: 674b2da9009484c91348af48db0175b50404e69be54b510c90a3c5336eebde63
Instruction Fuzzy Hash: BCE01A362002049FD710EF59D805E9ABBE9AF98760F008416FD49CB261DA78E8409BA0

Function 00FA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FA03EE), ref: 00FA09DA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 702660381c778d05a6925f4c47be082436245cb033f834f97747699164d38d57
Instruction ID: 31cb92f8c27e24675404162748067ef43fdd5845c7908fc109fb7a44253bd877
Opcode Fuzzy Hash: 702660381c778d05a6925f4c47be082436245cb033f834f97747699164d38d57
Instruction Fuzzy Hash:

Function 00FA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FA798B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c66f7cbdd7fc692f455a6bfac746c8fcb71b60fa72ceea602b0b71353f998568
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A3516AF2E0C7055BDB3875288C59FBF63999B07360F28051AD886D7292C61DEE06F356

Function 00FB6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac993dc1e221aa90a778f8bd1e94950e990fd68d3f867b838c9a101e9b2207e
Instruction ID: 3b98d3087681ad460155f4f6edffe3d1d88771add9858a3411efef33d6e17966
Opcode Fuzzy Hash: 9ac993dc1e221aa90a778f8bd1e94950e990fd68d3f867b838c9a101e9b2207e
Instruction Fuzzy Hash: F7322432D29F014DDB33A935D822335A249AFF73D5F25C737E81AB5999EB29C4835600

Function 00F9CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36937607f85b60196a24471167e746cae88623c65a676714dc4736f731d098f7
Instruction ID: bc77a09bc449cd9654e520a17f6b1e38d21c0bdc1ccd75b858d91562f8531175
Opcode Fuzzy Hash: 36937607f85b60196a24471167e746cae88623c65a676714dc4736f731d098f7
Instruction Fuzzy Hash: 3732F332E401968BDF28CA68C4A067D7BA3EB45320F2C856BD599CB391D634DD81FBC1

Function 00F87920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d88f57a5c4df73afdd7dbfa9a9644dd3934c4c738f34e265c4e1497dbf21f1
Instruction ID: a4a13bc14213c1ad9e30840d8df09f84face63445d7ff1cc1e416fdd7440641a
Opcode Fuzzy Hash: 07d88f57a5c4df73afdd7dbfa9a9644dd3934c4c738f34e265c4e1497dbf21f1
Instruction Fuzzy Hash: 7822C371E046069FDF14EF64C982BEEB3B2FF44710F244529E412A7291EB39E954EB50

Function 00F891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db12b6b638e12a4e645b7041ea51092198e509dd10c6ef6410766cb4dd7bd4f
Instruction ID: b1a4a311908f7fe4f5015867a88634f01f61ca8f5c3678dc452178223022b5ab
Opcode Fuzzy Hash: 8db12b6b638e12a4e645b7041ea51092198e509dd10c6ef6410766cb4dd7bd4f
Instruction Fuzzy Hash: F502B4B1E0020AEFDF04DF54D982BADB7B5FF44310F148169E806DB290EB75AA14EB90

Function 00FB9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51974facc6f0d4a5ea25844b84f97a525630be8c627f31f6eb1002033747bb00
Instruction ID: d6865742c0e31a6fa3ee4de6cb9109000e776e57e6cc8c997965b99341b8ba30
Opcode Fuzzy Hash: 51974facc6f0d4a5ea25844b84f97a525630be8c627f31f6eb1002033747bb00
Instruction Fuzzy Hash: 60B1C030D2AF414DD23399398831336B65CBFBB6D5B61D71BFC5678E16EB2A86834240

Function 00FA1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: abafc24050dff839ba82b4c992d9d941e4e271ed4cb194cf8f8ea8a224f92bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 709157B3A080A34ADB29463E857417EFFE16A933B1B1B079DD4F2CA1C5FE149954F620

Function 00FA1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3f49149e82872058a92001ecd13c079826a60d67d8578eda1025abe0979e55c7
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 289140B3B090E34EDB69423D847413EFEE15A933B171A079EE4F2CA1C5EE249954F620

Function 00FA19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ce235549ba842d97c2ec1a79c477339449aa64190c5aaad957f4923ecf2ea51e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AD9133B36090A34ADB2D467A857407EFFE16A933B2B1B079DD4F2CA1C1FD249564F620

Function 00FA7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656995fe169c6323ff525deab172c3cc3723d1fb059c0b0aeadb54d41a8f9320
Instruction ID: 4e52876af143589545f4fe2f75fbb5275d5430eb05b231494ef57fe794d75ac4
Opcode Fuzzy Hash: 656995fe169c6323ff525deab172c3cc3723d1fb059c0b0aeadb54d41a8f9320
Instruction Fuzzy Hash: FB617BF2A0870566DA34B9288C95FBF3394DFC37A0F140919E843CB295D6599E43B375

Function 00FA7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fbe123ac5ffe00c81f1b26ae672df4e33bf97ca9926a2296e5438308d97725
Instruction ID: 4ccea432dd4e350a13c1588ca185da183eb0e050613c9bcf6e103e473a082bf0
Opcode Fuzzy Hash: 97fbe123ac5ffe00c81f1b26ae672df4e33bf97ca9926a2296e5438308d97725
Instruction Fuzzy Hash: 21618AF2E0870956DE387A288C95FBF3394DF43760F140959E843CB281EA56AD43B355

Function 00FA1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 205dd7e31516e186091ed47271694cc52ec3efd0ab19197057909137682c90bd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D8142B3A090A349EB6D463A857443EFFE17A933B1B1B079DD4F2CA1C1EE249554F620

Function 00FF2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad8c0025952217aecad313947fbbde9dc1ad2eb8d601f4c0dda9a7ae2ef498e
Instruction ID: 91d0a7c62c3d1bf936cd833e540e78c0ef69274358b90d5868ec2057073c9d87
Opcode Fuzzy Hash: 1ad8c0025952217aecad313947fbbde9dc1ad2eb8d601f4c0dda9a7ae2ef498e
Instruction Fuzzy Hash: AA21BB326206158BDB28CE79C81367E73D5AB54320F158A2EE4A7C37D4DE3AA904D750

Function 01002ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01002B30
DeleteObject.GDI32(00000000), ref: 01002B43
DestroyWindow.USER32 ref: 01002B52
GetDesktopWindow.USER32 ref: 01002B6D
GetWindowRect.USER32(00000000), ref: 01002B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01002CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01002CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002CF8
GetClientRect.USER32(00000000,?), ref: 01002D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01002D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D80
GlobalLock.KERNEL32(00000000), ref: 01002D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D98
GlobalUnlock.KERNEL32(00000000), ref: 01002DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002DA8
GlobalFree.KERNEL32(00000000), ref: 01002DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0101FC38,00000000), ref: 01002DDB
GlobalFree.KERNEL32(00000000), ref: 01002DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01002E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01002E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100303F

Strings

, xrefs: 01002FC5
static, xrefs: 01002D3A, 01002E91
AutoIt v3, xrefs: 01002CF2
DISPLAY, xrefs: 01002EA2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7d55f66443aea02a1ada10df3c92ebc842008ca9d29e79bbd6b161d0d9face53
Instruction ID: adf26564899b51625d28e6526a24d60cc0c4acab7ca36921703ed96271b0aba1
Opcode Fuzzy Hash: 7d55f66443aea02a1ada10df3c92ebc842008ca9d29e79bbd6b161d0d9face53
Instruction Fuzzy Hash: A602BD71500208AFEB25DFA4CD88EAE7BB9FF49710F048158F955AB295CB39ED00CB60

Function 010170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0101712F
GetSysColorBrush.USER32(0000000F), ref: 01017160
GetSysColor.USER32(0000000F), ref: 0101716C
SetBkColor.GDI32(?,000000FF), ref: 01017186
SelectObject.GDI32(?,?), ref: 01017195
InflateRect.USER32(?,000000FF,000000FF), ref: 010171C0
GetSysColor.USER32(00000010), ref: 010171C8
CreateSolidBrush.GDI32(00000000), ref: 010171CF
FrameRect.USER32(?,?,00000000), ref: 010171DE
DeleteObject.GDI32(00000000), ref: 010171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01017230
FillRect.USER32(?,?,?), ref: 01017262
GetWindowLongW.USER32(?,000000F0), ref: 01017284

Part of subcall function 010173E8: GetSysColor.USER32(00000012), ref: 01017421
Part of subcall function 010173E8: SetTextColor.GDI32(?,?), ref: 01017425
Part of subcall function 010173E8: GetSysColorBrush.USER32(0000000F), ref: 0101743B
Part of subcall function 010173E8: GetSysColor.USER32(0000000F), ref: 01017446
Part of subcall function 010173E8: GetSysColor.USER32(00000011), ref: 01017463
Part of subcall function 010173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01017471
Part of subcall function 010173E8: SelectObject.GDI32(?,00000000), ref: 01017482
Part of subcall function 010173E8: SetBkColor.GDI32(?,00000000), ref: 0101748B
Part of subcall function 010173E8: SelectObject.GDI32(?,?), ref: 01017498
Part of subcall function 010173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010174B7
Part of subcall function 010173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010174CE
Part of subcall function 010173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010174DB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8c6f2290bea6386ed2925dadc76dff4a7d5f7cb12d23399144a207dc40ef50f2
Instruction ID: bff69af1a1d5cc5931ba2e95764cc3c4f9d8708b05ced2ffc3320629ca652309
Opcode Fuzzy Hash: 8c6f2290bea6386ed2925dadc76dff4a7d5f7cb12d23399144a207dc40ef50f2
Instruction Fuzzy Hash: 3AA1CF72048301EFEB219F64DD48A6B7BE9FB89320F100A19FAE2961D4D77ED944CB51

Function 00F98D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F98E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FD6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FD6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FD6F43

Part of subcall function 00F98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F98BE8,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00F98FC5

SendMessageW.USER32(?,00001053), ref: 00FD6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FD6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FD6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FD6FB7

Strings

0, xrefs: 00FD6DCF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 461b47fd2a229ade27c8983ddf1ac136e3a04dd564d9703b6f840336e59457c1
Instruction ID: b081fce39fa6789b2eb75a40cac290f67a44843aa67506b1a2b5eec4699e8739
Opcode Fuzzy Hash: 461b47fd2a229ade27c8983ddf1ac136e3a04dd564d9703b6f840336e59457c1
Instruction Fuzzy Hash: 0212BF31A00201AFEB25DF14D954BAABBF6FB45320F18446AF495CB251CB3AEC52EB51

Function 01002711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0100273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0100286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01002900
GetClientRect.USER32(00000000,?), ref: 0100290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01002955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01002964
GetStockObject.GDI32(00000011), ref: 01002974
SelectObject.GDI32(00000000,00000000), ref: 01002978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01002988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01002991
DeleteDC.GDI32(00000000), ref: 0100299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01002A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01002A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01002A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01002A77
GetStockObject.GDI32(00000011), ref: 01002A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01002A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01002A97

Strings

static, xrefs: 0100294F, 01002A71
AutoIt v3, xrefs: 010028F8
DISPLAY, xrefs: 0100295A
msctls_progress32, xrefs: 01002A13

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e2205d60002c250bd1cfb2b04e8b28c4f8f9c4a0c951d0eb957f4e6fb6523a02
Instruction ID: 152541f5941568381e357b0bcd957203593696459d311c2c6e8b0ccabed7013c
Opcode Fuzzy Hash: e2205d60002c250bd1cfb2b04e8b28c4f8f9c4a0c951d0eb957f4e6fb6523a02
Instruction Fuzzy Hash: 84B17DB1A40205AFEB24DF68CD49FAE7BA9FB08710F008154F954EB2D1D778E940CB60

Function 00FF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF4AED
GetDriveTypeW.KERNEL32(?,0101CB68,?,\\.\,0101CC08), ref: 00FF4BCA
SetErrorMode.KERNEL32(00000000,0101CB68,?,\\.\,0101CC08), ref: 00FF4D36

Strings

ATA, xrefs: 00FF4C98
Virtual, xrefs: 00FF4CE5
1394, xrefs: 00FF4C9F
Network, xrefs: 00FF4C02
CDROM, xrefs: 00FF4BFB
SAS, xrefs: 00FF4CC9
SSD, xrefs: 00FF4C4A
iSCSI, xrefs: 00FF4CC2
SATA, xrefs: 00FF4CD0
PhysicalDrive, xrefs: 00FF4B76
Fibre, xrefs: 00FF4CAD
ATAPI, xrefs: 00FF4C91
SSA, xrefs: 00FF4CA6
RAID, xrefs: 00FF4CBB
RAMDisk, xrefs: 00FF4BF4
MMC, xrefs: 00FF4CDE
FileBackedVirtual, xrefs: 00FF4CEC
USB, xrefs: 00FF4CB4
\\.\, xrefs: 00FF4B3F
Fixed, xrefs: 00FF4C09
Unknown, xrefs: 00FF4BED, 00FF4C83
SCSI, xrefs: 00FF4C8A
Removable, xrefs: 00FF4C10, 00FF4C15

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c97351bfa9ccbe5454cce30532c4bf2ef8abb297124802883039a2e9516bb0cc
Instruction ID: ffb1e9ca2f959b379845e17633e4ac0f8420c506c521d2efcafc53553326907d
Opcode Fuzzy Hash: c97351bfa9ccbe5454cce30532c4bf2ef8abb297124802883039a2e9516bb0cc
Instruction Fuzzy Hash: F861F771A0520D9BCB04EF14CAC1ABE77A0AF45710B244029FA46AF671DB76FD81FB51

Function 010173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01017421
SetTextColor.GDI32(?,?), ref: 01017425
GetSysColorBrush.USER32(0000000F), ref: 0101743B
GetSysColor.USER32(0000000F), ref: 01017446
CreateSolidBrush.GDI32(?), ref: 0101744B
GetSysColor.USER32(00000011), ref: 01017463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01017471
SelectObject.GDI32(?,00000000), ref: 01017482
SetBkColor.GDI32(?,00000000), ref: 0101748B
SelectObject.GDI32(?,?), ref: 01017498
InflateRect.USER32(?,000000FF,000000FF), ref: 010174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01017554
InflateRect.USER32(?,000000FD,000000FD), ref: 01017572
DrawFocusRect.USER32(?,?), ref: 0101757D
GetSysColor.USER32(00000011), ref: 0101758E
SetTextColor.GDI32(?,00000000), ref: 01017596
DrawTextW.USER32(?,010170F5,000000FF,?,00000000), ref: 010175A8
SelectObject.GDI32(?,?), ref: 010175BF
DeleteObject.GDI32(?), ref: 010175CA
SelectObject.GDI32(?,?), ref: 010175D0
DeleteObject.GDI32(?), ref: 010175D5
SetTextColor.GDI32(?,?), ref: 010175DB
SetBkColor.GDI32(?,?), ref: 010175E5

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 275df215a13488331cc7d799febd7e36cf703cb57829ea56616ce8014d06de0d
Instruction ID: 3f2bffefdc2f66b45a0b26136f53c0bc2c88f5dd9c2be5b69ac761f63a1b6551
Opcode Fuzzy Hash: 275df215a13488331cc7d799febd7e36cf703cb57829ea56616ce8014d06de0d
Instruction Fuzzy Hash: 74618C72940218AFEF119FA8DD48EEEBFB9EB09320F144111FA51AB295D779D940CF90

Function 01010FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01011128
GetDesktopWindow.USER32 ref: 0101113D
GetWindowRect.USER32(00000000), ref: 01011144
GetWindowLongW.USER32(?,000000F0), ref: 01011199
DestroyWindow.USER32(?), ref: 010111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0101121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01011232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01011245
IsWindowVisible.USER32(00000000), ref: 010112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010112D0
GetWindowRect.USER32(00000000,?), ref: 010112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0101130E
GetMonitorInfoW.USER32(00000000,?), ref: 01011328
CopyRect.USER32(?,?), ref: 0101133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010113AA

Strings

0, xrefs: 010110D3
tooltips_class32, xrefs: 010111E6
(, xrefs: 0101131B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 987d4b029e613c2c09eac3766ca99bd0d8a56f422bd86c3b45fb8d300af74c13
Instruction ID: 42471d42e4058eb82dd747ac902166f77c163ca0302c754a563b16e5c1fb48a3
Opcode Fuzzy Hash: 987d4b029e613c2c09eac3766ca99bd0d8a56f422bd86c3b45fb8d300af74c13
Instruction Fuzzy Hash: 16B1AE71608341AFD754DF64C984BAEBBE4FF88310F008958FAD99B295C779E844CB91

Function 01010241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010102E5
_wcslen.LIBCMT ref: 0101031F
_wcslen.LIBCMT ref: 01010389
_wcslen.LIBCMT ref: 010103F1
_wcslen.LIBCMT ref: 01010475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01010504

Part of subcall function 00F9F9F2: _wcslen.LIBCMT ref: 00F9F9FD

Part of subcall function 00FE223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE2258
Part of subcall function 00FE223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE228A

Strings

DESELECT, xrefs: 0101059C
VIEWCHANGE, xrefs: 01010675
SELECTINVERT, xrefs: 0101057E
GETSELECTEDCOUNT, xrefs: 01010470, 0101048B
SELECTALL, xrefs: 01010515
SELECTCLEAR, xrefs: 0101052D
GETTEXT, xrefs: 010103EC, 01010407
FINDITEM, xrefs: 01010627
GETSELECTED, xrefs: 010105E1
SELECT, xrefs: 01010548
GETSUBITEMCOUNT, xrefs: 01010384, 0101039F
GETITEMCOUNT, xrefs: 01010316, 01010337
ISSELECTED, xrefs: 010104DD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 2b658ef2372ffeea8c5b14a22a8539a0d0c5efd979ef7eaf10d6aed880d08345
Instruction ID: b2fc3d1246156de467d407f8014682246baafae3d75a07bccef37b5b2657433b
Opcode Fuzzy Hash: 2b658ef2372ffeea8c5b14a22a8539a0d0c5efd979ef7eaf10d6aed880d08345
Instruction Fuzzy Hash: ECE1C1712042018FD714EF28C99086FB7E5BFC8714B14899DF8D69B2AADB38ED85CB51

Function 00F98891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F98968
GetSystemMetrics.USER32(00000007), ref: 00F98970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F9899B
GetSystemMetrics.USER32(00000008), ref: 00F989A3
GetSystemMetrics.USER32(00000004), ref: 00F989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F98A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F98A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F98A5A
GetStockObject.GDI32(00000011), ref: 00F98A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F98A81

Part of subcall function 00F9912D: GetCursorPos.USER32(?), ref: 00F99141
Part of subcall function 00F9912D: ScreenToClient.USER32(00000000,?), ref: 00F9915E
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000001), ref: 00F99183
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000002), ref: 00F9919D

SetTimer.USER32(00000000,00000000,00000028,00F990FC), ref: 00F98AA8

Strings

AutoIt v3 GUI, xrefs: 00F98A20

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9b5606c90d087dbf4f8dca7c7d49b1e15f536aca2b2a5f15510f3c7b532abd3f
Instruction ID: ab4bd4add2fc8d3296acb2069a38db65278c488dd4736a81bdc3901a94ecc1f4
Opcode Fuzzy Hash: 9b5606c90d087dbf4f8dca7c7d49b1e15f536aca2b2a5f15510f3c7b532abd3f
Instruction Fuzzy Hash: BBB19131A4020AAFEF24DF68C945BAE3BB5FB48314F14421AFA55E7284DB79D841DF50

Function 00FE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE1114
Part of subcall function 00FE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1120
Part of subcall function 00FE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE112F
Part of subcall function 00FE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1136
Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE0E29
GetLengthSid.ADVAPI32(?), ref: 00FE0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00FE0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE0E96
GetLengthSid.ADVAPI32(?), ref: 00FE0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FE0EB5
HeapAlloc.KERNEL32(00000000), ref: 00FE0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE0EDD
CopySid.ADVAPI32(00000000), ref: 00FE0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0F6E
HeapFree.KERNEL32(00000000), ref: 00FE0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0F7E
HeapFree.KERNEL32(00000000), ref: 00FE0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0F8E
HeapFree.KERNEL32(00000000), ref: 00FE0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE0FA1
HeapFree.KERNEL32(00000000), ref: 00FE0FA8

Part of subcall function 00FE1193: GetProcessHeap.KERNEL32(00000008,00FE0BB1,?,00000000,?,00FE0BB1,?), ref: 00FE11A1
Part of subcall function 00FE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FE0BB1,?), ref: 00FE11A8
Part of subcall function 00FE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FE0BB1,?), ref: 00FE11B7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4437686c38f13744723ae393aa37d86fc5d7954bcd5239cd28cb3762d5a1c251
Instruction ID: 35bde037181125af3993c6c5a8278aaec54557bb8c1f50b85e703b59cf709dfd
Opcode Fuzzy Hash: 4437686c38f13744723ae393aa37d86fc5d7954bcd5239cd28cb3762d5a1c251
Instruction Fuzzy Hash: F5718C72D0024AABEF209FA6DC44FAEBBB8FF05310F044125F959A6180DB79DE55DB60

Function 0100C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0101CC08,00000000,?,00000000,?,?), ref: 0100C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0100C5A4
_wcslen.LIBCMT ref: 0100C5F4
_wcslen.LIBCMT ref: 0100C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0100C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0100C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0100C84D
RegCloseKey.ADVAPI32(?), ref: 0100C881
RegCloseKey.ADVAPI32(00000000), ref: 0100C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0100C960

Strings

REG_DWORD, xrefs: 0100C804
REG_EXPAND_SZ, xrefs: 0100C5CD
REG_SZ, xrefs: 0100C644
REG_MULTI_SZ, xrefs: 0100C6F5
REG_BINARY, xrefs: 0100C913
REG_QWORD, xrefs: 0100C8C3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 033bbbab00250927ae74bb07c447378719dc2cf5248bd08d01583e8376854728
Instruction ID: 3a1faaf423bb61ae3e113d02d198a5ec10bc7f75be56804a532071d345356599
Opcode Fuzzy Hash: 033bbbab00250927ae74bb07c447378719dc2cf5248bd08d01583e8376854728
Instruction Fuzzy Hash: 9812AD352042009FE715EF14C981B6AB7E5FF88314F18899CF98A9B3A2DB35ED41CB91

Function 0101091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010109C6
_wcslen.LIBCMT ref: 01010A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01010A54
_wcslen.LIBCMT ref: 01010A8A
_wcslen.LIBCMT ref: 01010B06
_wcslen.LIBCMT ref: 01010B81

Part of subcall function 00F9F9F2: _wcslen.LIBCMT ref: 00F9F9FD

Part of subcall function 00FE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FE2BFA

Strings

UNCHECK, xrefs: 01010D3E
CHECK, xrefs: 01010A85, 01010AA0
GETTOTALCOUNT, xrefs: 010109F2, 01010A17
GETTEXT, xrefs: 01010C97
EXPAND, xrefs: 01010BF8
GETSELECTED, xrefs: 01010C4E
ISCHECKED, xrefs: 01010CE1
SELECT, xrefs: 01010D11
GETITEMCOUNT, xrefs: 01010C1E
EXISTS, xrefs: 01010B7C, 01010B97
COLLAPSE, xrefs: 01010B01, 01010B1C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 648a6c702bdbcd1e35358ba0f45f375625cb00729a33992a0c599a3715323975
Instruction ID: a4b6eeaba1048eab4208853d6a220408ce6146e3a1d493a95de037b3aa2bc5d1
Opcode Fuzzy Hash: 648a6c702bdbcd1e35358ba0f45f375625cb00729a33992a0c599a3715323975
Instruction Fuzzy Hash: 7DE1A0712083018FC714EF29C89096EB7E1BF88314B54899DF8D69B36AD739ED85CB91

Function 0100C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
_wcslen.LIBCMT ref: 0100C9F1
_wcslen.LIBCMT ref: 0100CA68
_wcslen.LIBCMT ref: 0100CA9E
_wcslen.LIBCMT ref: 0100CAF9
_wcslen.LIBCMT ref: 0100CB2F
_wcslen.LIBCMT ref: 0100CB7F

Strings

HKLM, xrefs: 0100CA98, 0100CA9D
HKCU, xrefs: 0100CBCE
HKEY_CLASSES_ROOT, xrefs: 0100CAF3, 0100CAF8
HKEY_CURRENT_CONFIG, xrefs: 0100CB79, 0100CB7E
HKCR, xrefs: 0100CB29, 0100CB2E
HKEY_LOCAL_MACHINE, xrefs: 0100CA62, 0100CA67
HKCC, xrefs: 0100CBAC
HKU, xrefs: 0100CBF0
HKEY_USERS, xrefs: 0100CBDF
HKEY_CURRENT_USER, xrefs: 0100CBBD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7b15d1ee54c084c79fb3531bde8d3d505f4f760a2660fec5e9dd5a6c07ee7dfe
Instruction ID: e43897877dfc16ca4b8c5c9a3e76c847ee3cdb41d91c8bef6e10a1223d681639
Opcode Fuzzy Hash: 7b15d1ee54c084c79fb3531bde8d3d505f4f760a2660fec5e9dd5a6c07ee7dfe
Instruction Fuzzy Hash: F67102726005268BFB22DE6CCE409BF33D1AB96654F5407E8FCD2972C6E635DD8493A0

Function 0101833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101835A
_wcslen.LIBCMT ref: 0101836E
_wcslen.LIBCMT ref: 01018391
_wcslen.LIBCMT ref: 010183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01015BF2), ref: 0101844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01018487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01018501
FreeLibrary.KERNEL32(?), ref: 0101850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0101851D
DestroyIcon.USER32(?,?,?,?,?,01015BF2), ref: 0101852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01018549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01018555

Strings

.icl, xrefs: 01018368
.exe, xrefs: 01018388
.dll, xrefs: 010183AB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3a365ab5e37cd0d1ef6d6202843ce91b739679a81a54c373aecbcab33ecdd9b9
Instruction ID: ad25b55ce6e03aa69a5243450293f72033d442a4eb3ba5b8db2f6d014d662fed
Opcode Fuzzy Hash: 3a365ab5e37cd0d1ef6d6202843ce91b739679a81a54c373aecbcab33ecdd9b9
Instruction Fuzzy Hash: 9861E2B1540205BBEB24DF64CC81BBE77A8FB08710F10864AF995D60D5DBBCEA90D7A0

Function 00F87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 00F8782F
#notrayicon, xrefs: 00F877E7
Cannot parse #include, xrefs: 00FC5279
#OnAutoItStartRegister, xrefs: 00F87817
Bad directive syntax error, xrefs: 00FC519A
", xrefs: 00FC5153
#comments-start, xrefs: 00F8785F, 00F878B1
#pragma compile, xrefs: 00F877D3
#requireadmin, xrefs: 00F877FF
', xrefs: 00FC5169
#comments-end, xrefs: 00F878D9
#cs, xrefs: 00F87873, 00F878C5
#ce, xrefs: 00F878ED
Unterminated group of comments, xrefs: 00FC528C
#include, xrefs: 00F87847

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0decb9065059ed00bc1f545e09ae1fe2cc26caa1c86412612350f49d437e8601
Instruction ID: 937ecf3a58849d45b455c8dc637ad060fc7222c8c1e751155b3c457efca056b1
Opcode Fuzzy Hash: 0decb9065059ed00bc1f545e09ae1fe2cc26caa1c86412612350f49d437e8601
Instruction Fuzzy Hash: DB8129B1A44306BBDB20BF60CD83FEE77A4AF15750F144028F804AA196EB78D945F7A0

Function 00FF3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FF3EF8
_wcslen.LIBCMT ref: 00FF3F03
_wcslen.LIBCMT ref: 00FF3F5A
_wcslen.LIBCMT ref: 00FF3F98
GetDriveTypeW.KERNEL32(?), ref: 00FF3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF4087

Strings

wait, xrefs: 00FF4044
close, xrefs: 00FF3EFE, 00FF3F18
type cdaudio alias cd wait, xrefs: 00FF4001
open , xrefs: 00FF3FE5
closed, xrefs: 00FF3F08, 00FF3F2D, 00FF3F46, 00FF3F7E, 00FF3F97
set cd door , xrefs: 00FF4028
open, xrefs: 00FF3F54, 00FF3F59
close cd wait, xrefs: 00FF4072

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e3d3252dbec0b552c816db7dbc1879e1b5a5f7fa65a8e4b2cf92acbfeef535aa
Instruction ID: 6c3c3c69e89d11d8dbd781a44b8e05f75d96409a1a1c97fdcdf32e1ced8afc17
Opcode Fuzzy Hash: e3d3252dbec0b552c816db7dbc1879e1b5a5f7fa65a8e4b2cf92acbfeef535aa
Instruction Fuzzy Hash: 2571E072A042069FC310EF24C8809BBB7F4EF95768F00492DF695972A1EB35EE45DB91

Function 00FE5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FE5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FE5A40
SetWindowTextW.USER32(?,?), ref: 00FE5A57
GetDlgItem.USER32(?,000003EA), ref: 00FE5A6C
SetWindowTextW.USER32(00000000,?), ref: 00FE5A72
GetDlgItem.USER32(?,000003E9), ref: 00FE5A82
SetWindowTextW.USER32(00000000,?), ref: 00FE5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FE5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FE5AC3
GetWindowRect.USER32(?,?), ref: 00FE5ACC
_wcslen.LIBCMT ref: 00FE5B33
SetWindowTextW.USER32(?,?), ref: 00FE5B6F
GetDesktopWindow.USER32 ref: 00FE5B75
GetWindowRect.USER32(00000000), ref: 00FE5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FE5BD3
GetClientRect.USER32(?,?), ref: 00FE5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FE5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FE5C2F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ac064cd0dbb9736bcfac4e225183deae51af9a034c1e07116a6a00542ec57269
Instruction ID: 35864acb904836a82b2ef6454187239ee7b30a14125f13aa825d3c1c692531e5
Opcode Fuzzy Hash: ac064cd0dbb9736bcfac4e225183deae51af9a034c1e07116a6a00542ec57269
Instruction Fuzzy Hash: 27718031900B45AFDB20DFA9CE85BAEBBF5FF48B18F104918E182A3590D779E900DB50

Function 00FFFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FFFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FFFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FFFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FFFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FFFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FFFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FFFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FFFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FFFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FFFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FFFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FFFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FFFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FFFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FFFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FFFECC
GetCursorInfo.USER32(?), ref: 00FFFEDC
GetLastError.KERNEL32 ref: 00FFFF1E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9ffe22c31c17f3c7abde822825fa95385136e83dc855e704b6e719c7083bad9b
Instruction ID: 0725e69df3a8dfbbd98082de421aabf30da01b5ed288bf9e0b92d86819cdfb70
Opcode Fuzzy Hash: 9ffe22c31c17f3c7abde822825fa95385136e83dc855e704b6e719c7083bad9b
Instruction Fuzzy Hash: 4D4144B0D443196ADB109FBA8C8586EBFE8FF04764B50452AE11DEB291DB78E901CF91

Function 00FA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FA00C6

Part of subcall function 00FA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0105070C,00000FA0,C24A7999,?,?,?,?,00FC23B3,000000FF), ref: 00FA011C
Part of subcall function 00FA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FC23B3,000000FF), ref: 00FA0127
Part of subcall function 00FA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FC23B3,000000FF), ref: 00FA0138
Part of subcall function 00FA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FA014E
Part of subcall function 00FA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FA015C
Part of subcall function 00FA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FA016A
Part of subcall function 00FA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA0195
Part of subcall function 00FA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA01A0

___scrt_fastfail.LIBCMT ref: 00FA00E7

Part of subcall function 00FA00A3: __onexit.LIBCMT ref: 00FA00A9

Strings

kernel32.dll, xrefs: 00FA0133
InitializeConditionVariable, xrefs: 00FA0148
SleepConditionVariableCS, xrefs: 00FA0154
WakeAllConditionVariable, xrefs: 00FA0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FA0122

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 16f9b12f83ae28c125845a1305354d0f58bbccaa507183ff7387bea715c7b06f
Instruction ID: 8b605c59af09fa30c1b51d8c52d489d32fea519e07eef3e52641ad9c339b1ac2
Opcode Fuzzy Hash: 16f9b12f83ae28c125845a1305354d0f58bbccaa507183ff7387bea715c7b06f
Instruction Fuzzy Hash: 8521D4B2E857116BF7206B65BD06B6E33A4EB06B61F00012AF881E7248DF6DCC009B90

Function 00FE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE318D
_wcslen.LIBCMT ref: 00FE31F8

Strings

CLASSNN, xrefs: 00FE31F3, 00FE3204
CLASS, xrefs: 00FE3188, 00FE31A5
INSTANCE, xrefs: 00FE3453
TEXT, xrefs: 00FE347C
REGEXPCLASS, xrefs: 00FE3255, 00FE3266
NAME, xrefs: 00FE3335, 00FE3346

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 7267521b100ff8eb55ea66955495ae86bd8a41219df339419ed094d4322a866c
Instruction ID: bae3206c6f72a12b4d45c24d940a617d78268aafc01608b9b1af219ad2a8e2a1
Opcode Fuzzy Hash: 7267521b100ff8eb55ea66955495ae86bd8a41219df339419ed094d4322a866c
Instruction Fuzzy Hash: E9E1D532E00656ABCB14DF66C84DBEEFBB4BF44720F548129E456E7240DB34AE45AB90

Function 00FF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0101CC08), ref: 00FF4527
_wcslen.LIBCMT ref: 00FF453B
_wcslen.LIBCMT ref: 00FF4599
_wcslen.LIBCMT ref: 00FF45F4
_wcslen.LIBCMT ref: 00FF463F
_wcslen.LIBCMT ref: 00FF46A7

Part of subcall function 00F9F9F2: _wcslen.LIBCMT ref: 00F9F9FD

GetDriveTypeW.KERNEL32(?,01046BF0,00000061), ref: 00FF4743

Strings

removable, xrefs: 00FF45EA, 00FF45EF
unknown, xrefs: 00FF4708
cdrom, xrefs: 00FF458F, 00FF4594
ramdisk, xrefs: 00FF46F1
fixed, xrefs: 00FF4635, 00FF463A
all, xrefs: 00FF4531, 00FF4536
network, xrefs: 00FF469D, 00FF46A2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 43764760e56fdaa035a162387ee6ae59f37e947037a8c2e7c618489adb8b56ec
Instruction ID: c9a008eb12257a48b14e4087b37c2fe8bd0cc3af76e161761defd7748a64b0b2
Opcode Fuzzy Hash: 43764760e56fdaa035a162387ee6ae59f37e947037a8c2e7c618489adb8b56ec
Instruction Fuzzy Hash: 70B10371A083069BC710EF28C890A7BF7E5BF96720F54491DF696C72A1E734E844DB92

Function 01003FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0101CC08), ref: 010040BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010040CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0101CC08), ref: 010040F2
FreeLibrary.KERNEL32(00000000,?,0101CC08), ref: 0100413E
StringFromGUID2.OLE32(?,?,00000028,?,0101CC08), ref: 010041A8
SysFreeString.OLEAUT32(00000009), ref: 01004262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010042C8
SysFreeString.OLEAUT32(?), ref: 010042F2

Strings

kernel32.dll, xrefs: 010040B6
GetModuleHandleExW, xrefs: 010040C7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c27aefad52e15a6c9bbcabe8bb37382c380811ce5d645656c08bc30f74d9b6cd
Instruction ID: 0bcf8e99a4bc962e0579cee8d43ea0f0f10efb92bd7a7efd0c4caf3c9e8e8ce8
Opcode Fuzzy Hash: c27aefad52e15a6c9bbcabe8bb37382c380811ce5d645656c08bc30f74d9b6cd
Instruction Fuzzy Hash: 28125C71A00105EFEB56CF58C884EAEBBB5FF45314F158098EA45EB291CB35ED46CBA0

Function 00F8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01051990), ref: 00FC2F8D
GetMenuItemCount.USER32(01051990), ref: 00FC303D
GetCursorPos.USER32(?), ref: 00FC3081
SetForegroundWindow.USER32(00000000), ref: 00FC308A
TrackPopupMenuEx.USER32(01051990,00000000,?,00000000,00000000,00000000), ref: 00FC309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FC30A9

Strings

0, xrefs: 00F8327D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f2fb2e5ee1e72d028608c79fd4cb5e33ea312b3858367d735d5b789cd183cc30
Instruction ID: 943a25547ba62fc1c61c08ddc864dbda1eb58f4628b81cfa7cfe72cde62746c9
Opcode Fuzzy Hash: f2fb2e5ee1e72d028608c79fd4cb5e33ea312b3858367d735d5b789cd183cc30
Instruction Fuzzy Hash: 70714A71A4420ABEFB219F28CD4AFAABF64FF05774F20421AF5146A1E0C7B5AD50E750

Function 01016CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01016DEB

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01016E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01016E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01016E94
DestroyWindow.USER32(?), ref: 01016EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F80000,00000000), ref: 01016EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01016EFD
GetDesktopWindow.USER32 ref: 01016F16
GetWindowRect.USER32(00000000), ref: 01016F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01016F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01016F4D

Part of subcall function 00F99944: GetWindowLongW.USER32(?,000000EB), ref: 00F99952

Strings

tooltips_class32, xrefs: 01016E58, 01016EDD
0, xrefs: 01016D98

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 30a0d395e0319f9fe27bd3b5a3d78fa293a73bb3334bb83dd84f5ec7667c34da
Instruction ID: 722939773edb8ccaa567eed1a181574feb60cd57bddf681873ccc436f9585a00
Opcode Fuzzy Hash: 30a0d395e0319f9fe27bd3b5a3d78fa293a73bb3334bb83dd84f5ec7667c34da
Instruction Fuzzy Hash: 53714970144244AFEB21DF18CC44BAABBF9EB89304F44095DFAD987265C7BAE905CB11

Function 0101911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

DragQueryPoint.SHELL32(?,?), ref: 01019147

Part of subcall function 01017674: ClientToScreen.USER32(?,?), ref: 0101769A
Part of subcall function 01017674: GetWindowRect.USER32(?,?), ref: 01017710
Part of subcall function 01017674: PtInRect.USER32(?,?,01018B89), ref: 01017720

SendMessageW.USER32(?,000000B0,?,?), ref: 010191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01019225
SendMessageW.USER32(?,000000B0,?,?), ref: 0101923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01019255
SendMessageW.USER32(?,000000B1,?,?), ref: 01019277
DragFinish.SHELL32(?), ref: 0101927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01019371

Strings

@GUI_DRAGID, xrefs: 010192E9
@GUI_DROPID, xrefs: 0101929E
@GUI_DRAGFILE, xrefs: 01019320

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: bd73959cb75dd030328060ef5e9f8d3e19c4a7dbdd8f8aabe5bb802e60da2e57
Instruction ID: e59af4bd4132c7d5d8af5a9e8270fd0e583feff455e70ded32efd7df8e2bc6ec
Opcode Fuzzy Hash: bd73959cb75dd030328060ef5e9f8d3e19c4a7dbdd8f8aabe5bb802e60da2e57
Instruction Fuzzy Hash: 0C617871108301AFD711EF64DC85DAFBBE8EF89354F00091EF596931A0DB79AA48CB62

Function 00FFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FFC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FFC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FFC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FFC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FFC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FFC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FFC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FFC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FFC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FFC5F0
InternetCloseHandle.WININET(00000000), ref: 00FFC5FB

Strings

, xrefs: 00FFC575

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 73c6abaa9eb315ec525972fee1629aa247584188bb9813a00177cd67176c7897
Instruction ID: ca6239591284c9caabaae18305fec8d4b70568309aa8e63617fb93be4030531e
Opcode Fuzzy Hash: 73c6abaa9eb315ec525972fee1629aa247584188bb9813a00177cd67176c7897
Instruction Fuzzy Hash: 8C514FB154021DBFEB218F60CA48ABB7BBCFF04754F084419FA45D6250DB79E944EBA0

Function 0101856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01018592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185BA
GlobalLock.KERNEL32(00000000), ref: 010185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185D7
GlobalUnlock.KERNEL32(00000000), ref: 010185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0101FC38,?), ref: 01018611
GlobalFree.KERNEL32(00000000), ref: 01018621
GetObjectW.GDI32(?,00000018,?), ref: 01018641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01018671
DeleteObject.GDI32(?), ref: 01018699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010186AF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 016c6690ee0f2238c4cf81ae3b455ff9cbe2528ccea7dda8bce4ee0d1ee6ec35
Instruction ID: 57c064418ce08d090b0c69ef5eef8e1e126b45e6b2b403fcf8435c39b4a96016
Opcode Fuzzy Hash: 016c6690ee0f2238c4cf81ae3b455ff9cbe2528ccea7dda8bce4ee0d1ee6ec35
Instruction Fuzzy Hash: 34412975640204AFEB219FA9CD48EAE7BBCFF89711F108459F989E7254D739DA01CB20

Function 00FF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FF1502
VariantCopy.OLEAUT32(?,?), ref: 00FF150B
VariantClear.OLEAUT32(?), ref: 00FF1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FF15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FF1657
VariantInit.OLEAUT32(?), ref: 00FF1708
SysFreeString.OLEAUT32(?), ref: 00FF178C
VariantClear.OLEAUT32(?), ref: 00FF17D8
VariantClear.OLEAUT32(?), ref: 00FF17E7
VariantInit.OLEAUT32(00000000), ref: 00FF1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FF1625
Default, xrefs: 00FF16AF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 7b927c4c777ce88b1721f3413b739cda1444602af4afbe21f928208f77507302
Instruction ID: ebc0f43be4724a99f3f718e28a33032b6078bfb612f458c7dee9567fb6a9a6ab
Opcode Fuzzy Hash: 7b927c4c777ce88b1721f3413b739cda1444602af4afbe21f928208f77507302
Instruction Fuzzy Hash: 26D11332A04119DBEF14AF65D885B79B7B6BF44700F188056F646AB1A0DB38DC44FBA1

Function 0100B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0100B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0100B80A
RegCloseKey.ADVAPI32(?), ref: 0100B87E
RegCloseKey.ADVAPI32(?), ref: 0100B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0100B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0100B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0100B922
FreeLibrary.KERNEL32(00000000), ref: 0100B983
RegCloseKey.ADVAPI32(00000000), ref: 0100B994

Strings

RegDeleteKeyExW, xrefs: 0100B8FE
advapi32.dll, xrefs: 0100B8ED

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 3f25d027855534239bcfde229a6e69c0c0a43739de4a6d6445b7473dba9f8b45
Instruction ID: 5e6bcda75d8053360431c74f5f9ef3b7b8518d4f220410c976356aca4b669961
Opcode Fuzzy Hash: 3f25d027855534239bcfde229a6e69c0c0a43739de4a6d6445b7473dba9f8b45
Instruction Fuzzy Hash: 45C1A334208201AFE715DF18C495F6ABBE1FF85308F18859CF59A8B3A2CB75E945CB91

Function 0100255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010025E8
CreateCompatibleDC.GDI32(?), ref: 010025F4
SelectObject.GDI32(00000000,?), ref: 01002601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0100266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010026D0
SelectObject.GDI32(?,?), ref: 010026D8
DeleteObject.GDI32(?), ref: 010026E1
DeleteDC.GDI32(?), ref: 010026E8
ReleaseDC.USER32(00000000,?), ref: 010026F3

Strings

(, xrefs: 0100268D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 31ad635ad1d1e9f59e8a8093c0be4ecdd23e3d68309ff52584a58e24dfbf51c5
Instruction ID: 534b208e1c9f9e5a062707c254040e2a1cc0273d1528e2cae380288d6d06165b
Opcode Fuzzy Hash: 31ad635ad1d1e9f59e8a8093c0be4ecdd23e3d68309ff52584a58e24dfbf51c5
Instruction Fuzzy Hash: 84611375D00219EFDF15CFA8C988AAEBBF6FF48310F208529E999A7240D735A940CF50

Function 00FBDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FBDAA1

Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD659
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD66B
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD67D
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD68F
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6A1
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6B3
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6C5
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6D7
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6E9
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6FB
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD70D
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD71F
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD731

_free.LIBCMT ref: 00FBDA96

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBDAB8
_free.LIBCMT ref: 00FBDACD
_free.LIBCMT ref: 00FBDAD8
_free.LIBCMT ref: 00FBDAFA
_free.LIBCMT ref: 00FBDB0D
_free.LIBCMT ref: 00FBDB1B
_free.LIBCMT ref: 00FBDB26
_free.LIBCMT ref: 00FBDB5E
_free.LIBCMT ref: 00FBDB65
_free.LIBCMT ref: 00FBDB82
_free.LIBCMT ref: 00FBDB9A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1297d1112d4b4bb5836021c2328089dae520ee7c8e0324a76f17d72751eb40cc
Instruction ID: 5a3f97e31a81f9ea66c2bc5cfe721aca30f0235d7a6bffb968deaf7d5c95de9c
Opcode Fuzzy Hash: 1297d1112d4b4bb5836021c2328089dae520ee7c8e0324a76f17d72751eb40cc
Instruction Fuzzy Hash: F4316F31A04304AFEB65AA3ADC45BD6B7E9FF40320F158819E449D7592EF39AC40BF21

Function 00FE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FE369C
_wcslen.LIBCMT ref: 00FE36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FE3797
GetClassNameW.USER32(?,?,00000400), ref: 00FE380C
GetDlgCtrlID.USER32(?), ref: 00FE385D
GetWindowRect.USER32(?,?), ref: 00FE3882
GetParent.USER32(?), ref: 00FE38A0
ScreenToClient.USER32(00000000), ref: 00FE38A7
GetClassNameW.USER32(?,?,00000100), ref: 00FE3921
GetWindowTextW.USER32(?,?,00000400), ref: 00FE395D

Strings

%s%u, xrefs: 00FE3734

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2982ec903e39a6e753d2b65f2092f800e8f7fd5334364d62762dcc96e6d299e8
Instruction ID: 97094c9ab3d8d7b7321479c6849247791c4068b40d01c8d12c7f0eedb6c910cd
Opcode Fuzzy Hash: 2982ec903e39a6e753d2b65f2092f800e8f7fd5334364d62762dcc96e6d299e8
Instruction Fuzzy Hash: 1191D271604346AFD718DE26C88DFAAF7A9FF44320F008629F999C3181DB34EA45DB91

Function 00FE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FE4994
GetWindowTextW.USER32(?,?,00000400), ref: 00FE49DA
_wcslen.LIBCMT ref: 00FE49EB
CharUpperBuffW.USER32(?,00000000), ref: 00FE49F7
_wcsstr.LIBVCRUNTIME ref: 00FE4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FE4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00FE4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FE4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00FE4B20
GetWindowRect.USER32(?,?), ref: 00FE4B8B

Strings

ThumbnailClass, xrefs: 00FE4A6F, 00FE4AF1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b37cb459c5ec8dee574d1765a811644cb89b92ff186ed6fc5f9ff94cd1a85d2a
Instruction ID: 68f4c761b71173645fcc49f25cc96de06f10480305e37a1facebf5510c995bf9
Opcode Fuzzy Hash: b37cb459c5ec8dee574d1765a811644cb89b92ff186ed6fc5f9ff94cd1a85d2a
Instruction Fuzzy Hash: AE91EC714082459FDB04CE16C984FAA77E9FF88724F04846DFD859A086DB38FD45EBA1

Function 01018D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01018D5A
GetFocus.USER32 ref: 01018D6A
GetDlgCtrlID.USER32(00000000), ref: 01018D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01018E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01018ECF
GetMenuItemCount.USER32(?), ref: 01018EEC
GetMenuItemID.USER32(?,00000000), ref: 01018EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01018F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01018F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01018FA1

Strings

0, xrefs: 01018E9F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: f215e4a450b7c30946d309788969405bf26c3fe10508d4751360dac210fd79c5
Instruction ID: eec4625bdf0a99d70010ac4fc8e0c234df99564ff438546562f3eb0f98c0a144
Opcode Fuzzy Hash: f215e4a450b7c30946d309788969405bf26c3fe10508d4751360dac210fd79c5
Instruction Fuzzy Hash: FC81C171508301AFEB61DF18C884AAB7BE9FB88354F04495EFAC5D7285D779DA00CB61

Function 00FEBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01051990,000000FF,00000000,00000030), ref: 00FEBFAC
SetMenuItemInfoW.USER32(01051990,00000004,00000000,00000030), ref: 00FEBFE1
Sleep.KERNEL32(000001F4), ref: 00FEBFF3
GetMenuItemCount.USER32(?), ref: 00FEC039
GetMenuItemID.USER32(?,00000000), ref: 00FEC056
GetMenuItemID.USER32(?,-00000001), ref: 00FEC082
GetMenuItemID.USER32(?,?), ref: 00FEC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FEC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FEC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FEC145

Strings

0, xrefs: 00FEBF3D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: b2703f650811c33510ae505925d882b3bfdf6259c3d9a0ab91212118a585d4d5
Instruction ID: b90a92a59696128f36356690ec8980f8525c3de9c0cc718080de8de0eae6355f
Opcode Fuzzy Hash: b2703f650811c33510ae505925d882b3bfdf6259c3d9a0ab91212118a585d4d5
Instruction Fuzzy Hash: C5619171900386AFEF21CFA5D988AEE7BB8EB05354F044055F951E3291C739AD46EBA0

Function 00FEDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FEDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FEDC46
_wcslen.LIBCMT ref: 00FEDC50
_wcsstr.LIBVCRUNTIME ref: 00FEDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FEDCBC

Strings

StringFileInfo\, xrefs: 00FEDC8F
\VarFileInfo\Translation, xrefs: 00FEDCB4
%u.%u.%u.%u, xrefs: 00FEDD9A
DefaultLangCodepage, xrefs: 00FEDD1F
04090000, xrefs: 00FEDCF2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0b5b354e5789050ed1ecf141f08db38b73319ff0fc7aacab743b231840be2b26
Instruction ID: 26c24f4e62db9293568412de249ec1f456425b7ddcb2aa8e878c5e2dcaefca4f
Opcode Fuzzy Hash: 0b5b354e5789050ed1ecf141f08db38b73319ff0fc7aacab743b231840be2b26
Instruction Fuzzy Hash: 184116B2A402057BEB20A6759C47EBF77ACEF46760F10006DF900EA142EB79D901B7A5

Function 0100CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0100CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0100CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0100CD48

Part of subcall function 0100CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0100CCAA
Part of subcall function 0100CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0100CCBD
Part of subcall function 0100CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0100CCCF
Part of subcall function 0100CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0100CD05
Part of subcall function 0100CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0100CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0100CCF3

Strings

RegDeleteKeyExW, xrefs: 0100CCC9
advapi32.dll, xrefs: 0100CCB8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7a1055b64763436db63a49cd2455c82cf49b8aa016cf0d4df6ed92eb3981f654
Instruction ID: 00f9ab9cc6f9c617c7bee006524a2e6f34d84b8f41fefa5c1db95b33752fef33
Opcode Fuzzy Hash: 7a1055b64763436db63a49cd2455c82cf49b8aa016cf0d4df6ed92eb3981f654
Instruction Fuzzy Hash: 2731807194112DBBF7329A55DD88EFFBFBCEF06640F0002A9F981E2144D7389A459BA0

Function 00FF3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FF3D40
_wcslen.LIBCMT ref: 00FF3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FF3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FF3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FF3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FF3E55
CloseHandle.KERNEL32(00000000), ref: 00FF3E60
CloseHandle.KERNEL32(00000000), ref: 00FF3E6B

Strings

:, xrefs: 00FF3D82
\??\%s, xrefs: 00FF3D5B
\, xrefs: 00FF3D77

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 44b88753779ab36275034e3f213b7f6082abc475fe6314010cd9a6442c3781a5
Instruction ID: ce2797fcad75f4079a9e860833faa0e590f22c4fb7ca02785e3d631adefc20d8
Opcode Fuzzy Hash: 44b88753779ab36275034e3f213b7f6082abc475fe6314010cd9a6442c3781a5
Instruction Fuzzy Hash: 5A318EB2940219ABDB209FA0DC49FEF37BDEF89750F1040A5F649D6064EB78D7449B24

Function 00FEE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FEE6B4

Part of subcall function 00F9E551: timeGetTime.WINMM(?,?,00FEE6D4), ref: 00F9E555

Sleep.KERNEL32(0000000A), ref: 00FEE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00FEE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FEE727
SetActiveWindow.USER32 ref: 00FEE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FEE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FEE773
Sleep.KERNEL32(000000FA), ref: 00FEE77E
IsWindow.USER32 ref: 00FEE78A
EndDialog.USER32(00000000), ref: 00FEE79B

Strings

BUTTON, xrefs: 00FEE719

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 33b1333de6fcec80d3b78bb0d5bc21748c20ddc0ce9eff84c89ccf27513a7225
Instruction ID: 7bc88e7bdf2888a61490d20988f343d54dbdbeabfa4e74e87ee3bdf2b420afce
Opcode Fuzzy Hash: 33b1333de6fcec80d3b78bb0d5bc21748c20ddc0ce9eff84c89ccf27513a7225
Instruction Fuzzy Hash: 46218470240385EFFB205F21FD89B263B69FB59758B104824F49582149DB7FEC50EB25

Function 00FEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FEEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FEEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FEEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FEEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FEEAA7

Strings

play PlayMe, xrefs: 00FEEAA2
alias PlayMe, xrefs: 00FEEA36
open , xrefs: 00FEEA0C
close PlayMe, xrefs: 00FEEA6E, 00FEEA9B
play PlayMe wait, xrefs: 00FEEA91
status PlayMe mode, xrefs: 00FEEA58

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3f04bea1852c15db4c47a827d5ba551838683681a444a09892728f2bd842f7ab
Instruction ID: 340291955ae192cfc23d0b412fa13cface0d3b690d6ec6f48f5c62be894bf05f
Opcode Fuzzy Hash: 3f04bea1852c15db4c47a827d5ba551838683681a444a09892728f2bd842f7ab
Instruction Fuzzy Hash: CE11A775A502697AD720B7A3DC8ADFF7A7CEBD2F10F00043DB441A6090EEA51D05D6B0

Function 00FE9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FEA012
SetKeyboardState.USER32(?), ref: 00FEA07D
GetAsyncKeyState.USER32(000000A0), ref: 00FEA09D
GetKeyState.USER32(000000A0), ref: 00FEA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00FEA0E3
GetKeyState.USER32(000000A1), ref: 00FEA0F4
GetAsyncKeyState.USER32(00000011), ref: 00FEA120
GetKeyState.USER32(00000011), ref: 00FEA12E
GetAsyncKeyState.USER32(00000012), ref: 00FEA157
GetKeyState.USER32(00000012), ref: 00FEA165
GetAsyncKeyState.USER32(0000005B), ref: 00FEA18E
GetKeyState.USER32(0000005B), ref: 00FEA19C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8672cd3eec6b8aa859226370583150fceba1b011518391335962b7c45c255656
Instruction ID: 36cbc4671d61f4559de55488fbd1d5e15e505d05a2ca7bc639a4c86cb909534f
Opcode Fuzzy Hash: 8672cd3eec6b8aa859226370583150fceba1b011518391335962b7c45c255656
Instruction Fuzzy Hash: 6251D930D087C829FB35DB6288117EABFB59F12390F08859DD5C2571C2DA98BA4CDB63

Function 00FE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FE5CE2
GetWindowRect.USER32(00000000,?), ref: 00FE5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FE5D59
GetDlgItem.USER32(?,00000002), ref: 00FE5D69
GetWindowRect.USER32(00000000,?), ref: 00FE5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FE5DCF
GetDlgItem.USER32(?,000003E9), ref: 00FE5DDD
GetWindowRect.USER32(00000000,?), ref: 00FE5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FE5E31
GetDlgItem.USER32(?,000003EA), ref: 00FE5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FE5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FE5E67

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f2b082725c6be037e8c63ec92ac1a5ae863434b29e0ddb8d1803df2e76091aeb
Instruction ID: c31e61be770c60f43b9f12d5b8fe8819034be492649f9333af9fe44b1b839697
Opcode Fuzzy Hash: f2b082725c6be037e8c63ec92ac1a5ae863434b29e0ddb8d1803df2e76091aeb
Instruction Fuzzy Hash: EB511C71A40605AFDB18CF69CE89AAEBBB5BB48714F108129F515E7294D774EE00CB50

Function 00F98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F98BE8,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00F98FC5

DestroyWindow.USER32(?), ref: 00F98C81
KillTimer.USER32(00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00F98D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00FD6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00FD69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00FD69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F98BBA,00000000), ref: 00FD69D4
DeleteObject.GDI32(00000000), ref: 00FD69E6

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d02ee3fa33a1e8e1434488aaadd6b5643a2293c94d82eb2294677ea3c2b0db7b
Instruction ID: c421aa5a6112c97a3bdbaa3bee8f303789e7da38bdca74d19c952bd741251f65
Opcode Fuzzy Hash: d02ee3fa33a1e8e1434488aaadd6b5643a2293c94d82eb2294677ea3c2b0db7b
Instruction Fuzzy Hash: AD619F31901701DFEF359F14DA48B2677F2FB42362F144519E08297654CB7AAD82EB90

Function 00F99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F99944: GetWindowLongW.USER32(?,000000EB), ref: 00F99952

GetSysColor.USER32(0000000F), ref: 00F99862

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b1d88beb78022269413847eb3d50e0052b653f87392ea03f8ed346a1a6792458
Instruction ID: b13b5e520f09c609750dd96ae8a63bc9c8460d539a89295cfa91d49152e8a81c
Opcode Fuzzy Hash: b1d88beb78022269413847eb3d50e0052b653f87392ea03f8ed346a1a6792458
Instruction Fuzzy Hash: 1D419231548640AFEF305F3C9884BB93765AB06330F59461DF9A28B2D5D77ADC81EB11

Function 00FE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FCF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00FE9717
LoadStringW.USER32(00000000,?,00FCF7F8,00000001), ref: 00FE9720

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FCF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00FE9742
LoadStringW.USER32(00000000,?,00FCF7F8,00000001), ref: 00FE9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00FE9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FE984A
^ ERROR, xrefs: 00FE97FB
Error: , xrefs: 00FE981D
Line %d:, xrefs: 00FE97A0
Line %d (File "%s"):, xrefs: 00FE978F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 197f320be951fbcd5bf398260c78db53b5b30f8e5d47dda2a00363e285a25449
Instruction ID: fab9620e6b8cf0b169a74b83fc2d73cde0e7a68fc9651bbb942e2ae8f3779417
Opcode Fuzzy Hash: 197f320be951fbcd5bf398260c78db53b5b30f8e5d47dda2a00363e285a25449
Instruction Fuzzy Hash: F0415D72904219AADF04FBE1CE86EEE7378AF55740F540025F601B2092EB796F49EB61

Function 00FE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FE07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FE07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FE07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FE0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FE082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE083C

Strings

\CLSID, xrefs: 00FE0724
SOFTWARE\Classes\, xrefs: 00FE070E
\IPC$, xrefs: 00FE0784

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 863e8aeb0ba8d30abb35a5ece114de9cae4d552ebc65a20db187aa0aa34b6286
Instruction ID: 62fd45525956376235bd1da76421ffda8b236dceda0dee24efe537fbc60779dd
Opcode Fuzzy Hash: 863e8aeb0ba8d30abb35a5ece114de9cae4d552ebc65a20db187aa0aa34b6286
Instruction Fuzzy Hash: 90410472C10229ABDF25EFA4DC85CEDB778FF04750B04412AF901A7161EB78AE44DBA0

Function 01013F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0101403B
CreateCompatibleDC.GDI32(00000000), ref: 01014042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01014055
SelectObject.GDI32(00000000,00000000), ref: 0101405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01014068
DeleteDC.GDI32(00000000), ref: 01014072
GetWindowLongW.USER32(?,000000EC), ref: 0101407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01014092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0101409E

Strings

static, xrefs: 01013FD3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 29625a43c22a863f069351cb585fcfea56c85ea2c083ac6cf199f096193c1d76
Instruction ID: bbf480aac464b6c5e9bcea68ea9780ac10da725d9a2dfc0902edf46d2b638587
Opcode Fuzzy Hash: 29625a43c22a863f069351cb585fcfea56c85ea2c083ac6cf199f096193c1d76
Instruction Fuzzy Hash: 20316C32141215ABEF229FA8DD08FDA3BA9FF0D324F110215FA98E6194C77ED860DB54

Function 01003C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01003C5C
CoInitialize.OLE32(00000000), ref: 01003C8A
CoUninitialize.OLE32 ref: 01003C94
_wcslen.LIBCMT ref: 01003D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01003DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01003ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01003F0E
CoGetObject.OLE32(?,00000000,0101FB98,?), ref: 01003F2D
SetErrorMode.KERNEL32(00000000), ref: 01003F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01003FC4
VariantClear.OLEAUT32(?), ref: 01003FD8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 6103fab19a4d917cdc787a8a94f9b62cabfff884b86e276dcc0ebe2936f4004f
Instruction ID: 311d9f1fa4ab3ffda7fb34f9c26d8d0a247434f49a7e6312cab2e0c1c86cceaf
Opcode Fuzzy Hash: 6103fab19a4d917cdc787a8a94f9b62cabfff884b86e276dcc0ebe2936f4004f
Instruction Fuzzy Hash: D7C165716083059FE702EF28C88492BBBE9FF89744F04495DF98A9B291DB35ED05CB52

Function 00FF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FF7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FF7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FF7BA3
CoCreateInstance.OLE32(0101FD08,00000000,00000001,01046E6C,?), ref: 00FF7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FF7C74
CoTaskMemFree.OLE32(?,?), ref: 00FF7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FF7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FF7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FF7D81
CoTaskMemFree.OLE32(00000000), ref: 00FF7DD6
CoUninitialize.OLE32 ref: 00FF7DDC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a40f9c7a74ad1206b9ee67d6551bb102ee937cf8c8931c12f68af763715da88e
Instruction ID: 95f885880a6f131192f1fc82e1892f867f89e0e8056827f3d57d5446e3a04237
Opcode Fuzzy Hash: a40f9c7a74ad1206b9ee67d6551bb102ee937cf8c8931c12f68af763715da88e
Instruction Fuzzy Hash: 11C14B75A04209AFDB14EFA4C884DAEBBF9FF48314B148098E915DB361DB35ED41DB90

Function 0101541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01015504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01015515
CharNextW.USER32(00000158), ref: 01015544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01015585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0101559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010155AC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 093ccbb90df7b2f850c3838a433ad061aa6757603ab905113f252f65be6af5f2
Instruction ID: d1aa2155b2a9d82948006722d8bf031874007ffe285fb4999b675994545976f3
Opcode Fuzzy Hash: 093ccbb90df7b2f850c3838a433ad061aa6757603ab905113f252f65be6af5f2
Instruction Fuzzy Hash: 0C618230A40209AFEF208F54CD849FE7BB9EB4B728F004545F6A5AF294D77D9641CB61

Function 00FDFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FDFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00FDFB08
VariantInit.OLEAUT32(?), ref: 00FDFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FDFB3A
VariantCopy.OLEAUT32(?,?), ref: 00FDFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FDFBA1
VariantClear.OLEAUT32(?), ref: 00FDFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FDFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FDFBCC
VariantClear.OLEAUT32(?), ref: 00FDFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FDFBE9

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: fd5dc1e5a74c158370a51067c5d3ba68c0a1d1c1fa15b2d0c464681a7cbfa1b5
Instruction ID: f56f7d14e6b3a26255a74d8df753c097c68825d360ba5e1b9f2846be34a7ff31
Opcode Fuzzy Hash: fd5dc1e5a74c158370a51067c5d3ba68c0a1d1c1fa15b2d0c464681a7cbfa1b5
Instruction Fuzzy Hash: 5C41A135A402199FDB10DFA4D844DADBBB9FF48354F04802AE946A7351CB39E945DBA0

Function 00FE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FE9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00FE9D22
GetKeyState.USER32(000000A0), ref: 00FE9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00FE9D57
GetKeyState.USER32(000000A1), ref: 00FE9D6C
GetAsyncKeyState.USER32(00000011), ref: 00FE9D84
GetKeyState.USER32(00000011), ref: 00FE9D96
GetAsyncKeyState.USER32(00000012), ref: 00FE9DAE
GetKeyState.USER32(00000012), ref: 00FE9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00FE9DD8
GetKeyState.USER32(0000005B), ref: 00FE9DEA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2b9e723b3ab826a4643d59b6f7236ccc366402f07d4aeac7939ba2ca92566509
Instruction ID: ff67f0f55c96325f2bed8dcb454a7a3a74e04652ce28c252292723076dd291f8
Opcode Fuzzy Hash: 2b9e723b3ab826a4643d59b6f7236ccc366402f07d4aeac7939ba2ca92566509
Instruction Fuzzy Hash: 20411830D0C7CA6DFF30966688043B5BEE16F11324F08805EDAC6562C2DBE999C8D7B2

Function 0100055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010005BC
inet_addr.WSOCK32(?), ref: 0100061C
gethostbyname.WSOCK32(?), ref: 01000628
IcmpCreateFile.IPHLPAPI ref: 01000636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010007B9
WSACleanup.WSOCK32 ref: 010007BF

Strings

Ping, xrefs: 01000676

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a064780130ecb9bcfe9614798e05eb664fe513a79af3612b0acc2ca24ef656f4
Instruction ID: 8737fbe000a1cff9dfa2db22e3d668d8cc6dd4f2c58682b5cd4be79c4089a30f
Opcode Fuzzy Hash: a064780130ecb9bcfe9614798e05eb664fe513a79af3612b0acc2ca24ef656f4
Instruction Fuzzy Hash: B391D4346042019FE321DF18C888F1ABBE0BF49358F148599F5A98B7A6C739ED45CF91

Function 01008CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01008CF3

Part of subcall function 00FE8E54: _wcslen.LIBCMT ref: 00FE8E77

_wcslen.LIBCMT ref: 01008D4E
_wcslen.LIBCMT ref: 01008D9C
_wcslen.LIBCMT ref: 01008DDC
_wcslen.LIBCMT ref: 01008E6E

Strings

cdecl, xrefs: 01008D48, 01008D4D
stdcall, xrefs: 01008DD6, 01008DDB
winapi, xrefs: 01008D96, 01008D9B
none, xrefs: 01008E65, 01008E6A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 851c1fbe7c9db79903a4bf1295b389c451db1f9984528de2127c70f4b447013f
Instruction ID: 0706e21af84fb241d8f492bb7e576f86886c95f56094e03f5cfb201c5dd5acfb
Opcode Fuzzy Hash: 851c1fbe7c9db79903a4bf1295b389c451db1f9984528de2127c70f4b447013f
Instruction Fuzzy Hash: BD51B071E001169BEB16EF6CC9408BEB7E5BF65320F20826AE5A6E72C5DB35DD40C790

Function 0100372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01003774
CoUninitialize.OLE32 ref: 0100377F
CoCreateInstance.OLE32(?,00000000,00000017,0101FB78,?), ref: 010037D9
IIDFromString.OLE32(?,?), ref: 0100384C
VariantInit.OLEAUT32(?), ref: 010038E4
VariantClear.OLEAUT32(?), ref: 01003936

Strings

Failed to create object, xrefs: 010037E4, 0100389A
Invalid parameter, xrefs: 01003865
NULL Pointer assignment, xrefs: 0100381E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 524acd89240de54ba8efdde747c769ec84ca7fef3edf3aaf5463e8402ec8eec1
Instruction ID: 6e86f2485afeb94400de06415d71a7530654892f85cf35aaf5d23fee83389a6c
Opcode Fuzzy Hash: 524acd89240de54ba8efdde747c769ec84ca7fef3edf3aaf5463e8402ec8eec1
Instruction Fuzzy Hash: D5619F70608301AFE322DF54C889B6ABBE4FF49714F04089DF9C59B291D774EA48CB92

Function 00FF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FF33CF

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FF33F0

Strings

^ ERROR , xrefs: 00FF349E
Incorrect parameters to object property !, xrefs: 00FF34AB
Error: , xrefs: 00FF34D1
Line %d (File "%s"):, xrefs: 00FF3443, 00FF345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00FF3504
"%s" (%d) : ==> %s:, xrefs: 00FF3522

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 19c0de8c5d8a634f041702574de0883400b02a3995a31f6632f7083d94eb7b14
Instruction ID: 55e688fc15b736617a227843bbe651d9d4734a0f55bfeb37aaccccf79695936f
Opcode Fuzzy Hash: 19c0de8c5d8a634f041702574de0883400b02a3995a31f6632f7083d94eb7b14
Instruction Fuzzy Hash: 09518C7290420AAADF14FBA0CD46EFEB379AF05740F144065F50572062EB7A6F58EB60

Function 00FEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FEB5FC
_wcslen.LIBCMT ref: 00FEB608
_wcslen.LIBCMT ref: 00FEB64D
_wcslen.LIBCMT ref: 00FEB68C
_wcslen.LIBCMT ref: 00FEB6C7

Strings

REMOVE, xrefs: 00FEB602, 00FEB607
KEYS, xrefs: 00FEB647, 00FEB64C
EXISTS, xrefs: 00FEB686, 00FEB68B
APPEND, xrefs: 00FEB6C1, 00FEB6C6

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: beb1e5a22710fba0227b721ba0acac3606a945b90aaf528cc4e99d877cd405a1
Instruction ID: 9fef4ce31d31c3d55f0ff9afa9adc9e35e5a4a8307c866e5b66ea327804e1811
Opcode Fuzzy Hash: beb1e5a22710fba0227b721ba0acac3606a945b90aaf528cc4e99d877cd405a1
Instruction Fuzzy Hash: E541D372E000669BCB20AF7ECC905BFB7A5BBA1764B244169E461DB284F735CD81E790

Function 00FF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FF5416
GetLastError.KERNEL32 ref: 00FF5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FF54A7

Strings

INVALID, xrefs: 00FF5459
READY, xrefs: 00FF5460, 00FF5468
NOTREADY, xrefs: 00FF544B
UNKNOWN, xrefs: 00FF5444
READONLY, xrefs: 00FF5452

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4acfac28f76718976e02937bd41681fa7654c176f3b1af622c1823b41cb950f9
Instruction ID: 7393efbb1e7517737d0279cd90fe7057bc996b4e88f27434c20e2b3234e40b9c
Opcode Fuzzy Hash: 4acfac28f76718976e02937bd41681fa7654c176f3b1af622c1823b41cb950f9
Instruction Fuzzy Hash: A831F375E002099FD710DF68C494BB9BBB4FF05715F148059E601CB262D776DD82DBA0

Function 01013C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01013C79
SetMenu.USER32(?,00000000), ref: 01013C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01013D10
IsMenu.USER32(?), ref: 01013D24
CreatePopupMenu.USER32 ref: 01013D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01013D5B
DrawMenuBar.USER32 ref: 01013D63

Strings

0, xrefs: 01013C54
F, xrefs: 01013D4E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 2ad7545dc8848fb5cf3d6f725653c12bf3c0074849e6353201a6e3ba21bba712
Instruction ID: a219b7c6fc178c1029e47526fa865b2e55e5490bc116fc6371457917f95e0b90
Opcode Fuzzy Hash: 2ad7545dc8848fb5cf3d6f725653c12bf3c0074849e6353201a6e3ba21bba712
Instruction Fuzzy Hash: E2418C78A01209AFEB24DF64E844B9A7BF5FF49314F040068EA869B354D739E910CB50

Function 00FE1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FE1F64
GetDlgCtrlID.USER32 ref: 00FE1F6F
GetParent.USER32 ref: 00FE1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE1F8E
GetDlgCtrlID.USER32(?), ref: 00FE1F97
GetParent.USER32(?), ref: 00FE1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE1FAE

Strings

ListBox, xrefs: 00FE1F21
ComboBox, xrefs: 00FE1EEC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 21d0d7b5d1deb50c62a65f0ee7ab09c0a876fe9658f781358175a3ee027cf68d
Instruction ID: eb7992d4d688960500a66a5c75f6ebe2010dbee60fe680a97418cb37e0dd464b
Opcode Fuzzy Hash: 21d0d7b5d1deb50c62a65f0ee7ab09c0a876fe9658f781358175a3ee027cf68d
Instruction Fuzzy Hash: 5521D370900214BFDF10AFA1CC84DFEBBB4AF09310B100515B99167291DB7D9904EBA0

Function 00FE1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FE2043
GetDlgCtrlID.USER32 ref: 00FE204E
GetParent.USER32 ref: 00FE206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE206D
GetDlgCtrlID.USER32(?), ref: 00FE2076
GetParent.USER32(?), ref: 00FE208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE208D

Strings

ListBox, xrefs: 00FE2002
ComboBox, xrefs: 00FE1FCD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a6380624cbe6674e4ec7d2bae1bbb0117d2878dc39d9b559b0179c49a5a8f238
Instruction ID: a058cf244e5033e408011e4adeef022aa52246af98c6d14b6356e0f28c2c0f86
Opcode Fuzzy Hash: a6380624cbe6674e4ec7d2bae1bbb0117d2878dc39d9b559b0179c49a5a8f238
Instruction Fuzzy Hash: BC21CFB1E40214BFDF11AFA1CC89EFEBBB8AF09300F100415B991A7195DA7E9914EB60

Function 01013A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01013A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01013AA0
GetWindowLongW.USER32(?,000000F0), ref: 01013AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01013AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01013B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01013BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01013BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01013BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01013BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01013C13

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5768ee14e6017f81fbc666ba851e825a4c419c90be0bc7dcaa585833887be2a7
Instruction ID: f428a67a2796901af71dbf4c97eb73577a1f4a90e4ee5fc8b8a0443c8f81aba3
Opcode Fuzzy Hash: 5768ee14e6017f81fbc666ba851e825a4c419c90be0bc7dcaa585833887be2a7
Instruction Fuzzy Hash: 82617975A00248AFEB20DFA8CC81EEE77F8FB09714F100199FA55AB291D778AD41DB50

Function 00FEB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FEB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB165
GetWindowThreadProcessId.USER32(00000000), ref: 00FEB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB21D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 60718285dd89462f508aed84ab3f3bf79d1c88a5f9a9939ad580cc6371fb616c
Instruction ID: 8d9614efa8a2b3866af3360a8b328a870e5ad17bdd0fcc0279ff11f13a98a938
Opcode Fuzzy Hash: 60718285dd89462f508aed84ab3f3bf79d1c88a5f9a9939ad580cc6371fb616c
Instruction Fuzzy Hash: E731EC75940304BFEB269F25D958B6F7BA9BF543A1F10440AFA80CA184D7BEE8009F64

Function 00FB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB2C94

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FB2CA0
_free.LIBCMT ref: 00FB2CAB
_free.LIBCMT ref: 00FB2CB6
_free.LIBCMT ref: 00FB2CC1
_free.LIBCMT ref: 00FB2CCC
_free.LIBCMT ref: 00FB2CD7
_free.LIBCMT ref: 00FB2CE2
_free.LIBCMT ref: 00FB2CED
_free.LIBCMT ref: 00FB2CFB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9eddbdd3f383a0b69ff7702ba66dce75b4b0f6e8dec44f5e35cf8cd3d6034244
Instruction ID: 7a8fad9da8aa41ae03b9bb1bb3a9fd26d51390f30233351358c8970358e3fafd
Opcode Fuzzy Hash: 9eddbdd3f383a0b69ff7702ba66dce75b4b0f6e8dec44f5e35cf8cd3d6034244
Instruction Fuzzy Hash: 89119476500108BFCB42EF5ADC42CDD3BB5BF05350F4148A5F9485B622DA35EA50AF90

Function 00FF7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FF7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FF7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FF8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FF80B0

Strings

*.*, xrefs: 00FF8066

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 789361ab6c3692e2a9ec3abdf51a2d4e55dbf57d696f2ac8e83da9023c2116e2
Instruction ID: fe04a308d052a5c2abb6278d21c5f79a656ca28c8a013b228fb50493a167b642
Opcode Fuzzy Hash: 789361ab6c3692e2a9ec3abdf51a2d4e55dbf57d696f2ac8e83da9023c2116e2
Instruction Fuzzy Hash: BA81D2729083499BCB20EF14C844ABEF3D8BF84320F54485EF685C7260EB79DD45AB92

Function 00F85BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F85C7A

Part of subcall function 00F85D0A: GetClientRect.USER32(?,?), ref: 00F85D30
Part of subcall function 00F85D0A: GetWindowRect.USER32(?,?), ref: 00F85D71
Part of subcall function 00F85D0A: ScreenToClient.USER32(?,?), ref: 00F85D99

GetDC.USER32 ref: 00FC46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FC4708
SelectObject.GDI32(00000000,00000000), ref: 00FC4716
SelectObject.GDI32(00000000,00000000), ref: 00FC472B
ReleaseDC.USER32(?,00000000), ref: 00FC4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FC47C4

Strings

U, xrefs: 00FC4693

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7816ed9635aa0efcb23feaf4db16405a84b18bc64e8418e7219d6a8aab6da515
Instruction ID: e7631172e589179ca93cf7783f97771c3b3fd6b06e097b858cdb32ef8980def2
Opcode Fuzzy Hash: 7816ed9635aa0efcb23feaf4db16405a84b18bc64e8418e7219d6a8aab6da515
Instruction Fuzzy Hash: AB71DF31800206DFCF219F64CA96FEA7BB1FF4A324F144269ED955A299C335A841FF50

Function 00FF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FF35E4

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

LoadStringW.USER32(01052390,?,00000FFF,?), ref: 00FF360A

Strings

^ ERROR, xrefs: 00FF36C9
Error: , xrefs: 00FF36EF
Line %d (File "%s"):, xrefs: 00FF366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00FF3724
"%s" (%d) : ==> %s:, xrefs: 00FF3742

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: fd6d7c801248502b4d695caf18e166f01d91da94b94950f69c53178132d23a4a
Instruction ID: f76ece2e5bc963907b4d8f268d850e84df022e645c2d5eea645aa32c455a45d1
Opcode Fuzzy Hash: fd6d7c801248502b4d695caf18e166f01d91da94b94950f69c53178132d23a4a
Instruction Fuzzy Hash: 9A514C7290421ABADF14FBA0CC42EFEBB79AF05700F144125F20572162EB795B99EB60

Function 01018B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

Part of subcall function 00F9912D: GetCursorPos.USER32(?), ref: 00F99141
Part of subcall function 00F9912D: ScreenToClient.USER32(00000000,?), ref: 00F9915E
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000001), ref: 00F99183
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000002), ref: 00F9919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01018B6B
ImageList_EndDrag.COMCTL32 ref: 01018B71
ReleaseCapture.USER32 ref: 01018B77
SetWindowTextW.USER32(?,00000000), ref: 01018C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01018C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01018CFF

Strings

@GUI_DROPID, xrefs: 01018C51
@GUI_DRAGFILE, xrefs: 01018C9A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 3feba73d71f0c683180faa95818fb1c5d2918f0a279f0e60785ee4da1927414c
Instruction ID: 8ddadef9e7c1e13089eb2954d1718d9a8af0abe268a7e6cfb2f425a92b8a4318
Opcode Fuzzy Hash: 3feba73d71f0c683180faa95818fb1c5d2918f0a279f0e60785ee4da1927414c
Instruction Fuzzy Hash: 18518C70104304AFE714EF24DC96FAB7BE4FB88714F40062DF99697295CB799A44CB62

Function 00FFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FFC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FFC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FFC2CA
GetLastError.KERNEL32 ref: 00FFC322
SetEvent.KERNEL32(?), ref: 00FFC336
InternetCloseHandle.WININET(00000000), ref: 00FFC341

Strings

, xrefs: 00FFC2BB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9b31709cc5014fb42a19a52056d01f4a6b880669656ba69ecb14d53f5dfdf1f1
Instruction ID: aa3f842dfb61bbe64ee8d327f2793f87cf8675ec633c4b2c8e9c742fefd933a6
Opcode Fuzzy Hash: 9b31709cc5014fb42a19a52056d01f4a6b880669656ba69ecb14d53f5dfdf1f1
Instruction Fuzzy Hash: 413193B190021CAFD7219F648A84ABB7BFCEF45794B14451DF586D2210DB39DD04ABA1

Function 00FE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FC3AAF,?,?,Bad directive syntax error,0101CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FE98BC
LoadStringW.USER32(00000000,?,00FC3AAF,?), ref: 00FE98C3

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FE9987

Strings

Line %d:, xrefs: 00FE9912
., xrefs: 00FE996D
%s (%d) : ==> %s.: %s %s, xrefs: 00FE98F1
Line %d (File "%s"):, xrefs: 00FE992D
Error: , xrefs: 00FE9955

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 606a77162018af50c5e167413fff93ebe0fa88da1694bc16130464a761eb20be
Instruction ID: fabd153227fb355569d0fbd7c5790896765ed6f3bdc3666259fa285631734463
Opcode Fuzzy Hash: 606a77162018af50c5e167413fff93ebe0fa88da1694bc16130464a761eb20be
Instruction Fuzzy Hash: 6A219F32D4421ABBDF15AF90CC46EFE7735FF19700F044429F51566062EBBA9A28EB20

Function 00FE209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FE20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00FE20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FE214D

Strings

largeicons, xrefs: 00FE20E1
details, xrefs: 00FE20FB
list, xrefs: 00FE212F
smallicons, xrefs: 00FE2115
SHELLDLL_DefView, xrefs: 00FE20CC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5c264e9b2e74c99b130c46e398e78ee2f175a64c3aaac23188eec686938d8006
Instruction ID: a27339506a58de74f9271932ffbf2c586267b8ba1ef34c1049f26f2a575fc761
Opcode Fuzzy Hash: 5c264e9b2e74c99b130c46e398e78ee2f175a64c3aaac23188eec686938d8006
Instruction Fuzzy Hash: 18112CB76C8306BBF6112622DC07DA6379CCB05734B20002AFB44A90A1FEBDB9017A54

Function 00FB8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e596205f5be8777205fe0569edbbd180514a447bc16eddbcbe6d055f23175a53
Instruction ID: 9a968a54893b19f5e51b71d4f2dc3687bf7b534f3c1738d58a63b15ce7e16cdf
Opcode Fuzzy Hash: e596205f5be8777205fe0569edbbd180514a447bc16eddbcbe6d055f23175a53
Instruction Fuzzy Hash: B5C11575D08249AFDB11EFEAD840BEDBBB4AF49360F144059F554AB382C7798942EF20

Function 00FBCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FBCEB7
_free.LIBCMT ref: 00FBCF22
_free.LIBCMT ref: 00FBCF48
_free.LIBCMT ref: 00FBCF71
_free.LIBCMT ref: 00FBCFA9
_free.LIBCMT ref: 00FBCFDA
_free.LIBCMT ref: 00FBD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FBD09C
_free.LIBCMT ref: 00FBD0B5

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b991b0c28e10c3374310613209a3df7a3d50133022f63fa425492f36029d0a59
Instruction ID: 69e3681aa3da32466b000123c6907e1faed79ef3fcb34eac5efd2670824c3fc2
Opcode Fuzzy Hash: b991b0c28e10c3374310613209a3df7a3d50133022f63fa425492f36029d0a59
Instruction Fuzzy Hash: DB612671D04301ABDB21BF769881AFF7BA5AF05760F0441ADF9449B245E73A9900BFB1

Function 010150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01015186
ShowWindow.USER32(?,00000000), ref: 010151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010151D1

Part of subcall function 01016FBA: DeleteObject.GDI32(00000000), ref: 01016FE6

GetWindowLongW.USER32(?,000000F0), ref: 0101520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0101521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0101524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01015287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01015296

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 683cf9397c5a90abd0462cfb75eac7f7eacf636b43a1c0b49ee9cc70531fdf09
Instruction ID: 51105c614ea80d28a96f299059d36b893a239b27ceadfa23feda764689bb1aac
Opcode Fuzzy Hash: 683cf9397c5a90abd0462cfb75eac7f7eacf636b43a1c0b49ee9cc70531fdf09
Instruction Fuzzy Hash: 3651C231A90209BEFF319E28CC49BD93BA1FB87321F144051F6949E2D8D7BEA580CB41

Function 00F98B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00FD6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00FD68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FD68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00FD68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FD68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F98874,00000000,00000000,00000000,000000FF,00000000), ref: 00FD6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FD691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F98874,00000000,00000000,00000000,000000FF,00000000), ref: 00FD692D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 08d25eb4d0c98196bf262d1c6e786edde4c5f2fe6bf61b86765ce64d4c87722d
Instruction ID: 00e78c198f4069eea803932d362044cb7147fb759eb3db34e7acbd321126fb43
Opcode Fuzzy Hash: 08d25eb4d0c98196bf262d1c6e786edde4c5f2fe6bf61b86765ce64d4c87722d
Instruction Fuzzy Hash: 0C517A70A40205AFEF20CF24CC55BAA7BB6EF88760F144519F942D7290DB79E991EB50

Function 00FFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FFC182
GetLastError.KERNEL32 ref: 00FFC195
SetEvent.KERNEL32(?), ref: 00FFC1A9

Part of subcall function 00FFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FFC272
Part of subcall function 00FFC253: GetLastError.KERNEL32 ref: 00FFC322
Part of subcall function 00FFC253: SetEvent.KERNEL32(?), ref: 00FFC336
Part of subcall function 00FFC253: InternetCloseHandle.WININET(00000000), ref: 00FFC341

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 849bf0e71813504ec0012e1ac87c769b0acdbe37dc787c0c8bf2b77a8a423ffd
Instruction ID: b6ed5a954f2a727e0179793b2040224db47815b9dcda91562baba5c7ef6ce5ce
Opcode Fuzzy Hash: 849bf0e71813504ec0012e1ac87c769b0acdbe37dc787c0c8bf2b77a8a423ffd
Instruction Fuzzy Hash: 8031B27154061DAFEB219FE5DE44AB6BBF8FF18310B00441DFA9683624C739E914EBA0

Function 00FE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE3A57
Part of subcall function 00FE3A3D: GetCurrentThreadId.KERNEL32 ref: 00FE3A5E
Part of subcall function 00FE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FE25B3), ref: 00FE3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FE25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FE25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FE2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FE2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FE2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FE2627

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a207ce51d61051a27ece31067a6656663f4e148eefd25c64b3c497ea6a423993
Instruction ID: 6fd251cd73213edd5ae5469f29c04e3dc7d6c98a67bbcd7c61af7b3da8ab6386
Opcode Fuzzy Hash: a207ce51d61051a27ece31067a6656663f4e148eefd25c64b3c497ea6a423993
Instruction Fuzzy Hash: B501D4313D0354BBFB2067699C8EF593F99DB4EB12F100011F358AF0C4C9FA64449A69

Function 00FE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FE1449,?,?,00000000), ref: 00FE180C
HeapAlloc.KERNEL32(00000000,?,00FE1449,?,?,00000000), ref: 00FE1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE1449,?,?,00000000), ref: 00FE1828
GetCurrentProcess.KERNEL32(?,00000000,?,00FE1449,?,?,00000000), ref: 00FE1830
DuplicateHandle.KERNEL32(00000000,?,00FE1449,?,?,00000000), ref: 00FE1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE1449,?,?,00000000), ref: 00FE1843
GetCurrentProcess.KERNEL32(00FE1449,00000000,?,00FE1449,?,?,00000000), ref: 00FE184B
DuplicateHandle.KERNEL32(00000000,?,00FE1449,?,?,00000000), ref: 00FE184E
CreateThread.KERNEL32(00000000,00000000,00FE1874,00000000,00000000,00000000), ref: 00FE1868

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c05d5bb1b9d2aacfd95520cf5897f8b7684078d6a3ba4aa090c248bf0ce40a85
Instruction ID: 565c5dbb2ebe48893c24f9b29ae41f40fbeeed81e31f10005910dd226eaa9fad
Opcode Fuzzy Hash: c05d5bb1b9d2aacfd95520cf5897f8b7684078d6a3ba4aa090c248bf0ce40a85
Instruction Fuzzy Hash: 3C01ACB52C0344BFF720AB65DD49F577B6CEB89B11F004411FA45DB195C679D8008B20

Function 0100A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00FED501
Part of subcall function 00FED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00FED50F
Part of subcall function 00FED4DC: CloseHandle.KERNELBASE(00000000), ref: 00FED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100A16D
GetLastError.KERNEL32 ref: 0100A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0100A268
GetLastError.KERNEL32(00000000), ref: 0100A273
CloseHandle.KERNEL32(00000000), ref: 0100A2C4

Strings

SeDebugPrivilege, xrefs: 0100A18F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 28f3639ac4d97d37957dd4a2c7e7bc2407b25ec19c9b5d4fb7c59b32dff106ce
Instruction ID: 42cf444844555166a58d89d79c2ea18712b98d4aecf0387d5ee15e99a41dc7e8
Opcode Fuzzy Hash: 28f3639ac4d97d37957dd4a2c7e7bc2407b25ec19c9b5d4fb7c59b32dff106ce
Instruction Fuzzy Hash: 8F618C70204342EFE721DF19C894F5ABBE1AF44318F18849CE5A68B793C77AE945CB91

Function 01013886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01013925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0101393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01013954
_wcslen.LIBCMT ref: 01013999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010139F4

Strings

SysListView32, xrefs: 010138F7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 1cf3cb26b27098f5fdd11624c87b9854ac4874141dc5e1c0b97d8f33b4d1f599
Instruction ID: d9a1ce5c8efc34ce56b8bb5f5a4337697bddfb44266b58ac638a4920d0a9f4de
Opcode Fuzzy Hash: 1cf3cb26b27098f5fdd11624c87b9854ac4874141dc5e1c0b97d8f33b4d1f599
Instruction Fuzzy Hash: 3C41C771A00319ABEF219F64CC45FEA7BA9FF08364F100566F984EB285D379D940CB90

Function 00FEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FEBCFD
IsMenu.USER32(00000000), ref: 00FEBD1D
CreatePopupMenu.USER32 ref: 00FEBD53
GetMenuItemCount.USER32(009F4C08), ref: 00FEBDA4
InsertMenuItemW.USER32(009F4C08,?,00000001,00000030), ref: 00FEBDCC

Strings

2, xrefs: 00FEBD37
0, xrefs: 00FEBCA8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 024c0a7cd08c09a49365a10a8483920fd53983283c2c665cc02001415dd9e0f5
Instruction ID: 26fcb839b3e9dbee4bf8073a12411fdd70e01c5945c50f3f50a72846fe071307
Opcode Fuzzy Hash: 024c0a7cd08c09a49365a10a8483920fd53983283c2c665cc02001415dd9e0f5
Instruction Fuzzy Hash: DA51AD70A002899BDF30CFAADD88BAFBBF8BF45324F244229E451D7290D7749941DB61

Function 00FEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FEC913

Strings

info, xrefs: 00FEC8B4
blank, xrefs: 00FEC895
question, xrefs: 00FEC8CC
stop, xrefs: 00FEC8E4
warning, xrefs: 00FEC8FC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7f442f3dabe765981581c465b429abf3507384ab47e528f5235cb7d255288abd
Instruction ID: 9fe6ea47583b57d69de57bf17f320e9f7413761f58c572bbbd8c68d324a91875
Opcode Fuzzy Hash: 7f442f3dabe765981581c465b429abf3507384ab47e528f5235cb7d255288abd
Instruction Fuzzy Hash: D311EE72A89346BBE7019B569C82D9E7B9CDF16764B10003FF500A6183F7BD6E0172A4

Function 00FEDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FEDE42
gethostname.WSOCK32(?,00000100), ref: 00FEDE5C
gethostbyname.WSOCK32(?), ref: 00FEDE69
inet_ntoa.WSOCK32(?), ref: 00FEDEAB
_strcat.LIBCMT ref: 00FEDEB9
WSACleanup.WSOCK32 ref: 00FEDEDE

Strings

0.0.0.0, xrefs: 00FEDE87

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 68e25ff0ba962173786dac5c64c10134e33942f4a9294b2c5fb6f16a99bf963b
Instruction ID: 4776b13fe322083509622bceff7254673d0a46400acfd5c1e20367745f382aa8
Opcode Fuzzy Hash: 68e25ff0ba962173786dac5c64c10134e33942f4a9294b2c5fb6f16a99bf963b
Instruction Fuzzy Hash: B7110671904114AFDB30AB61DC4AEEF77ACDF55720F040169F4459A081EFBADA81A760

Function 01019F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

GetSystemMetrics.USER32(0000000F), ref: 01019FC7
GetSystemMetrics.USER32(0000000F), ref: 01019FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0101A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0101A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0101A263
ShowWindow.USER32(00000003,00000000), ref: 0101A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0101A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0101A2CA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 12716390b3feb6475240faeee130c8755362b621caa1d169ab499973c0b14028
Instruction ID: d9a79675359e80c41ab3cf3150799b0d4bd5216931cf8cff8824997d8107df1c
Opcode Fuzzy Hash: 12716390b3feb6475240faeee130c8755362b621caa1d169ab499973c0b14028
Instruction Fuzzy Hash: 1BB18A31601265DBEF25CF6CC9857EE7BF2BF44741F0880A9ED859B289D739A940CB50

Function 00FEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FEED2A
_wcslen.LIBCMT ref: 00FEED3B
_wcslen.LIBCMT ref: 00FEED79
_wcslen.LIBCMT ref: 00FEEDAF
_wcslen.LIBCMT ref: 00FEEDDF
_wcslen.LIBCMT ref: 00FEEDEF
_wcslen.LIBCMT ref: 00FEEE2B
_wcslen.LIBCMT ref: 00FEEE5A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9e02b26a5838a8818930edea1380b08b8a896cee5096c63d0dacd5e9903cfe4a
Instruction ID: a1bbd64f84fe2b789ec86837c129ebd1d96920799d73431bb054b296e6fd7d41
Opcode Fuzzy Hash: 9e02b26a5838a8818930edea1380b08b8a896cee5096c63d0dacd5e9903cfe4a
Instruction Fuzzy Hash: 5341A3A5C10258B6CB11EBF5CC8AACFB7ACAF46710F508466E518E3121FB38E255D3A5

Function 00F9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 00F9F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 00FDF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 00FDF454

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c74c6aa048a78961ac50c6bc127af76e06a779b4a51bf888e889e482f0aee2ee
Instruction ID: ad71384b907a7bc7bfae206b56dba8be23a30417b78295feab57f7e20c2411b6
Opcode Fuzzy Hash: c74c6aa048a78961ac50c6bc127af76e06a779b4a51bf888e889e482f0aee2ee
Instruction Fuzzy Hash: C9411D31E14640BAFF399B29CD88B2A7B926B57334F18443DE087D6654C67A9488F711

Function 01012D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01012D1B
GetDC.USER32(00000000), ref: 01012D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01012D2E
ReleaseDC.USER32(00000000,00000000), ref: 01012D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01012D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01012D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01015A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01012DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01012DE1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b8e2c63d83de78219bc9941336956f90b8d91460f665a3577b8f0b0aab17e437
Instruction ID: e4f7b604c49162e2424b3b58bac832198b6a868ea2a162272eaf5dc73623e3de
Opcode Fuzzy Hash: b8e2c63d83de78219bc9941336956f90b8d91460f665a3577b8f0b0aab17e437
Instruction Fuzzy Hash: 2A317C72241214BFFB258F54CD89FEB3FA9FF0A715F044055FE889A285C67A9850C7A4

Function 00FE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FE5637
_memcmp.LIBVCRUNTIME ref: 00FE5659
_memcmp.LIBVCRUNTIME ref: 00FE5671
_memcmp.LIBVCRUNTIME ref: 00FE5684
_memcmp.LIBVCRUNTIME ref: 00FE569E
_memcmp.LIBVCRUNTIME ref: 00FE56B1
_memcmp.LIBVCRUNTIME ref: 00FE56C9
_memcmp.LIBVCRUNTIME ref: 00FE56E4

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1f64853269f0ae099cfdbc61e99e666ae83bb841606628cca23975550748f894
Instruction ID: 8ba7a1f9ea72b31ea2fd0ce07198df4915a0e62885414090738ebf84c5a79d80
Opcode Fuzzy Hash: 1f64853269f0ae099cfdbc61e99e666ae83bb841606628cca23975550748f894
Instruction Fuzzy Hash: 2C21D7A6A40A4A7BD6149A234E92FFB335CBF21B9CF440024FD049E541F768ED14B5E5

Function 01004FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0100502E, 01005383
Not an Object type, xrefs: 01005007

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e84a0f0e197744158bb943cb58d07ad50179867f5b7eefb67c54f0ed5436c223
Instruction ID: f8e91fa5edc81f2c337474db4607ceafe9fefe0074bb614021c6503c6e185c60
Opcode Fuzzy Hash: e84a0f0e197744158bb943cb58d07ad50179867f5b7eefb67c54f0ed5436c223
Instruction Fuzzy Hash: 5DD19275A0020AAFEF11CF98CC81AAEBBF5BF48314F148469E955AB281E771D945CF50

Function 00FC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00FC15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00FC17FB,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC16FB

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC1777
__freea.LIBCMT ref: 00FC17A2
__freea.LIBCMT ref: 00FC17AE

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 531d746aa7e13cf67d362bf2f3eff9e10bfc86b9793e4c65a48dac9178e3717c
Instruction ID: 1a6699fa52b5fb9419becbb8929b5e4ed8463b02dd2ded73593ad7db3ba0d0d6
Opcode Fuzzy Hash: 531d746aa7e13cf67d362bf2f3eff9e10bfc86b9793e4c65a48dac9178e3717c
Instruction Fuzzy Hash: 85919372E102179ADF208E64CE52FEE7BB5BF4A320F18465DE801E7142D739DD54AB60

Function 01004523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01004648
VariantInit.OLEAUT32(?), ref: 01004749
VariantClear.OLEAUT32(?), ref: 01004753
VariantClear.OLEAUT32(?), ref: 010047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010045D8, 01004706, 010047BE
Incorrect Object type in FOR..IN loop, xrefs: 0100472C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5380772ec302e875ffd85dd3320d36ffb9ec7176c7062b40461fd4883ad3b9ab
Instruction ID: c9be816d3b583064979350dafccdd8a9b34297f5552af7dce0ae967e09556081
Opcode Fuzzy Hash: 5380772ec302e875ffd85dd3320d36ffb9ec7176c7062b40461fd4883ad3b9ab
Instruction Fuzzy Hash: 37917D71A00219ABEF21CFA5CC84FAEBBB8FF45710F008559E645EB281D7749945CBA4

Function 00FF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FF125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FF1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FF12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF1430

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 46efa6d7b26b9bce49827b7a868ef5ffbc561d843a782aae3f849759e4f887ed
Instruction ID: c8a62c15935256793120ef1e47cf8d7ab3ba6eac8bbb98efcaba36b77b76ccf1
Opcode Fuzzy Hash: 46efa6d7b26b9bce49827b7a868ef5ffbc561d843a782aae3f849759e4f887ed
Instruction Fuzzy Hash: 9C91C172A0020DDFEB10DF94C884BBEB7B5FF45325F104029EA50EB2A1D779A945EB90

Function 00F9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 246edf115eb30d9c03844d7debe2e4058bc935acf818b655739dd4e2ca677e16
Instruction ID: 06958a7c2879619e99ef68bc3876f340c29fc9d51776822677b7ec810e64f24e
Opcode Fuzzy Hash: 246edf115eb30d9c03844d7debe2e4058bc935acf818b655739dd4e2ca677e16
Instruction Fuzzy Hash: B1917771D04209AFDF11CFA9CC84AEEBBB9FF49320F19804AE501B7251D378AA41DB60

Function 01003947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0100396B
CharUpperBuffW.USER32(?,?), ref: 01003A7A
_wcslen.LIBCMT ref: 01003A8A
VariantClear.OLEAUT32(?), ref: 01003C1F

Part of subcall function 00FF0CDF: VariantInit.OLEAUT32(00000000), ref: 00FF0D1F
Part of subcall function 00FF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FF0D28
Part of subcall function 00FF0CDF: VariantClear.OLEAUT32(?), ref: 00FF0D34

Strings

Incorrect Parameter format, xrefs: 010039A6, 01003BA1
AUTOIT.ERROR, xrefs: 01003A80, 01003A85

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a0da2750921b0796ee4232276cb55eb0eefcec235526ba6c0f32f212a2402655
Instruction ID: 917e066a5ec5f6c7e956fb2573714cd39cafba11a4fad2d8b5472b34f8b67435
Opcode Fuzzy Hash: a0da2750921b0796ee4232276cb55eb0eefcec235526ba6c0f32f212a2402655
Instruction Fuzzy Hash: E9917C74A083059FD705EF28C48096AB7E4FF89314F14886DF9899B391DB35ED45CB92

Function 01004BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?,?,00FE035E), ref: 00FE002B
Part of subcall function 00FE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0046
Part of subcall function 00FE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0054
Part of subcall function 00FE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?), ref: 00FE0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01004C51
_wcslen.LIBCMT ref: 01004D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01004DCF
CoTaskMemFree.OLE32(?), ref: 01004DDA

Strings

NULL Pointer assignment, xrefs: 01004E23, 01004E52

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 41c8f9727cd8be3c4ab94fb613b0757813a01ee7e53da5417418c66201ffe3ad
Instruction ID: 7bbfeb5fc9e094865e3bafa25d6a0224db43de1fbb8ca0b08e7281191845a8b7
Opcode Fuzzy Hash: 41c8f9727cd8be3c4ab94fb613b0757813a01ee7e53da5417418c66201ffe3ad
Instruction Fuzzy Hash: 06911971D0021D9FEF15EFA4CC91AEDB7B8BF08314F10416AEA55A7291DB749A44CF60

Function 010120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01012183
GetMenuItemCount.USER32(00000000), ref: 010121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010121DD
_wcslen.LIBCMT ref: 01012213
GetMenuItemID.USER32(?,?), ref: 0101224D
GetSubMenu.USER32(?,?), ref: 0101225B

Part of subcall function 00FE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE3A57
Part of subcall function 00FE3A3D: GetCurrentThreadId.KERNEL32 ref: 00FE3A5E
Part of subcall function 00FE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FE25B3), ref: 00FE3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010122E3

Part of subcall function 00FEE97B: Sleep.KERNEL32 ref: 00FEE9F3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cf69c8b8c2092471aae4d835cef01236470c81b3293177839a7538f3d4142af3
Instruction ID: 36917dbabe965ca467eeb1ba4e8f4b1f5d2239203083f93179a267a09d92c292
Opcode Fuzzy Hash: cf69c8b8c2092471aae4d835cef01236470c81b3293177839a7538f3d4142af3
Instruction Fuzzy Hash: F6718375E00205AFDB10EF68C845AEEBBF5FF48310F248499E956EB345D739E9418BA0

Function 01017E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(009F4A78), ref: 01017F37
IsWindowEnabled.USER32(009F4A78), ref: 01017F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0101801E
SendMessageW.USER32(009F4A78,000000B0,?,?), ref: 01018051
IsDlgButtonChecked.USER32(?,?), ref: 01018089
GetWindowLongW.USER32(009F4A78,000000EC), ref: 010180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010180C3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9c87a21bf3240f0fe38734ba19fa195ccd4492cfe4f1f1b67bab61cf34caf9e8
Instruction ID: 463f9efd8552ee08a5a193f0d2458b6c9f4f62bf8a59c6c7ca09ba7486d63fc2
Opcode Fuzzy Hash: 9c87a21bf3240f0fe38734ba19fa195ccd4492cfe4f1f1b67bab61cf34caf9e8
Instruction Fuzzy Hash: 18715D75604204AFEB629F68C884FEB7BF5EF09300F14449EFAD597259C73AA941CB10

Function 00FEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FEAEF9
GetKeyboardState.USER32(?), ref: 00FEAF0E
SetKeyboardState.USER32(?), ref: 00FEAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FEAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FEAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FEAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FEB020

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9cf7ba169698d06abec59131084719d4946ead4362080e8dd378dafba982f6a1
Instruction ID: 1508e10c9f5b9036a4bece24708347f2daec20db5af2ea545401aa26077cf5f2
Opcode Fuzzy Hash: 9cf7ba169698d06abec59131084719d4946ead4362080e8dd378dafba982f6a1
Instruction Fuzzy Hash: C751C1A0A047D53DFB3683368C45BBBBEA95B46324F088489E2D9458C2C3D9FCC8E751

Function 00FEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FEAD19
GetKeyboardState.USER32(?), ref: 00FEAD2E
SetKeyboardState.USER32(?), ref: 00FEAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FEADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FEADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FEAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FEAE38

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 87b474a414c6d282828d543d4adab52bcdddd95da7ccdd3bb758e8e18d110b4e
Instruction ID: 2125f6e7098eef973fb35ac7f391386a3de9e915c01ec067fcf5b20bdf583920
Opcode Fuzzy Hash: 87b474a414c6d282828d543d4adab52bcdddd95da7ccdd3bb758e8e18d110b4e
Instruction Fuzzy Hash: 8551F5A1D047D53DFB3382368C95B7ABEA95F46310F088489E1D5468C2D298FC98F762

Function 00FB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00FC3CD6,?,?,?,?,?,?,?,?,00FB5BA3,?,?,00FC3CD6,?,?), ref: 00FB5470
__fassign.LIBCMT ref: 00FB54EB
__fassign.LIBCMT ref: 00FB5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FC3CD6,00000005,00000000,00000000), ref: 00FB552C
WriteFile.KERNEL32(?,00FC3CD6,00000000,00FB5BA3,00000000,?,?,?,?,?,?,?,?,?,00FB5BA3,?), ref: 00FB554B
WriteFile.KERNEL32(?,?,00000001,00FB5BA3,00000000,?,?,?,?,?,?,?,?,?,00FB5BA3,?), ref: 00FB5584

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f3a7f163ea15efa2c1470a97019f9643a57aac2bb7908a7d8de4bf833966034f
Instruction ID: eee7a7886fef9b5151cbdb07dcfef5f0b237449b2c500dc3440ad01a1a79549a
Opcode Fuzzy Hash: f3a7f163ea15efa2c1470a97019f9643a57aac2bb7908a7d8de4bf833966034f
Instruction Fuzzy Hash: 4D51C1B1A006489FDB20CFA9D841BEEBBF9EF09711F18411AF955E7281D638DA41CF60

Function 00FA2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FA2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FA2D53
_ValidateLocalCookies.LIBCMT ref: 00FA2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FA2E0C
_ValidateLocalCookies.LIBCMT ref: 00FA2E61

Strings

csm, xrefs: 00FA2DF6

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 402a8aa71455eabd0ae6881687f51e26263bbbcb9a26083b7f2c51649ebbfe73
Instruction ID: e4a3325720eb95e5ebe87c16e318a6aaee5a066f095e57d7ae67352d6d147f90
Opcode Fuzzy Hash: 402a8aa71455eabd0ae6881687f51e26263bbbcb9a26083b7f2c51649ebbfe73
Instruction Fuzzy Hash: DF41A0B5F01209ABCF10DF6CC885A9EBBA5BF46328F148155F8146B352D739DA05EB90

Function 010010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0100307A
Part of subcall function 0100304E: _wcslen.LIBCMT ref: 0100309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01001112
WSAGetLastError.WSOCK32 ref: 01001121
WSAGetLastError.WSOCK32 ref: 010011C9
closesocket.WSOCK32(00000000), ref: 010011F9

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: acdbdd77310da935f1ef43344b1b36237c69449312f4c539226da86e47af880f
Instruction ID: 0136ac451f93870f0ae42a1dce22efcc8810a200fc41838dae6ec877627cbba1
Opcode Fuzzy Hash: acdbdd77310da935f1ef43344b1b36237c69449312f4c539226da86e47af880f
Instruction Fuzzy Hash: C541A131600204AFEB169F18C884BEABBE9FF45324F148059FD959B2C5C779E941CBE1

Function 00FECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FECF22,?), ref: 00FEDDFD

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FECF22,?), ref: 00FEDE16

lstrcmpiW.KERNEL32(?,?), ref: 00FECF45
MoveFileW.KERNEL32(?,?), ref: 00FECF7F
_wcslen.LIBCMT ref: 00FED005
_wcslen.LIBCMT ref: 00FED01B
SHFileOperationW.SHELL32(?), ref: 00FED061

Strings

\*.*, xrefs: 00FECFF3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ecde7517bbbb282e2dfb524d6d4fa998c6e685800604fa596b78654389151479
Instruction ID: c05139a95a44893d9bbaaaadd2852ff02f215504ffbd8711817fc07dfe8fef6c
Opcode Fuzzy Hash: ecde7517bbbb282e2dfb524d6d4fa998c6e685800604fa596b78654389151479
Instruction Fuzzy Hash: 664186B1D452585FDF22EFA5DD81ADEB7B8AF08380F0000E6E505EB141EB39A785DB50

Function 01012DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01012E1C
GetWindowLongW.USER32(?,000000F0), ref: 01012E4F
GetWindowLongW.USER32(?,000000F0), ref: 01012E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01012EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01012EE0
GetWindowLongW.USER32(?,000000F0), ref: 01012EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01012F0B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c16f0ff0ace7b6b2e862702bc595ce05c7c0fffa8e9e8d53df566d96f7f58389
Instruction ID: 7bcc004ace9be85f5446f378e781e08f685e2aa28d6cbc0a301345d1aba91275
Opcode Fuzzy Hash: c16f0ff0ace7b6b2e862702bc595ce05c7c0fffa8e9e8d53df566d96f7f58389
Instruction Fuzzy Hash: 0A310634644250AFEB21CF5CDD84FA537E5FB5A714F2501A4F9908F2AACB7AE840DB41

Function 00FE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE778F
SysAllocString.OLEAUT32(00000000), ref: 00FE7792
SysAllocString.OLEAUT32(?), ref: 00FE77B0
SysFreeString.OLEAUT32(?), ref: 00FE77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00FE77DE
SysAllocString.OLEAUT32(?), ref: 00FE77EC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 75f7072fd59febdeb740a855e9218222b79a74a81cb7d4fbc51ce61ce060c9b1
Instruction ID: 603ed87e4a53c016cef1c263ffa5ca6fc6ff585543b2e22967283ddda06db7dd
Opcode Fuzzy Hash: 75f7072fd59febdeb740a855e9218222b79a74a81cb7d4fbc51ce61ce060c9b1
Instruction Fuzzy Hash: A421D676A08359AFEF20EEA9CC88DBB73ACEB093647048025F904DB150D678DC419760

Function 00FE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE7868
SysAllocString.OLEAUT32(00000000), ref: 00FE786B
SysAllocString.OLEAUT32 ref: 00FE788C
SysFreeString.OLEAUT32 ref: 00FE7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00FE78AF
SysAllocString.OLEAUT32(?), ref: 00FE78BD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5c1dcdf96183ec72b869f248cf592d5f6a2eb8a0caaef54f4cb1cbc767042cf1
Instruction ID: 6f88b147884d142e5fca065b7176264d6e1acac20ca4612afaa64b793793212b
Opcode Fuzzy Hash: 5c1dcdf96183ec72b869f248cf592d5f6a2eb8a0caaef54f4cb1cbc767042cf1
Instruction Fuzzy Hash: D121D831A48214AFEF10AFB9CC8CDAA77ECEB193607208025F914CB194DA78DD41DB64

Function 00FF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FF04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF052E

Strings

nul, xrefs: 00FF0567

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4f6115f9113b3ae1b2d108bf01ad85c67c2b71d273c1dff59eb9d0ad39a6ed3b
Instruction ID: 3088e4e3e2a1e3ac2760c5a6c8752ee4c0b1394130f7dbe7fdb82dbc5da82bce
Opcode Fuzzy Hash: 4f6115f9113b3ae1b2d108bf01ad85c67c2b71d273c1dff59eb9d0ad39a6ed3b
Instruction Fuzzy Hash: AF219475900309AFDF208F69D844AAA77B4AF45734F284A19F9A1D72E1DBB1D940DF20

Function 00FF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF0601

Strings

nul, xrefs: 00FF0639

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9e21be3d9fc94044a00fefc4dfce43f1210ff62d4b33a622bf7c2eccd996f761
Instruction ID: d242ce47dd7a02b6258d4bfc3eade6bf8899692d3df635ed12e5e83473b0dbb0
Opcode Fuzzy Hash: 9e21be3d9fc94044a00fefc4dfce43f1210ff62d4b33a622bf7c2eccd996f761
Instruction Fuzzy Hash: E821A3759003199BDB208F698804AAA77E4AF85730F200A19FAA1D72E1DFB19960DB10

Function 010140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F8604C
Part of subcall function 00F8600E: GetStockObject.GDI32(00000011), ref: 00F86060
Part of subcall function 00F8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01014112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0101411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0101412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01014139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01014145

Strings

Msctls_Progress32, xrefs: 010140E3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 91372ffbd3ac3334f0febc5c0e32a715e49f2bc657471bc14c7b816088c52109
Instruction ID: 39d1b633360194aaf3fda6466a87fbe580a4ab6a07729a7aae5523d5197f6ca2
Opcode Fuzzy Hash: 91372ffbd3ac3334f0febc5c0e32a715e49f2bc657471bc14c7b816088c52109
Instruction Fuzzy Hash: 7011B2B2140219BEEF219E65CC85EE77F9DEF09798F004111BA58E6054C776DC21DBA4

Function 00FBD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FBD7A3: _free.LIBCMT ref: 00FBD7CC

_free.LIBCMT ref: 00FBD82D

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBD838
_free.LIBCMT ref: 00FBD843
_free.LIBCMT ref: 00FBD897
_free.LIBCMT ref: 00FBD8A2
_free.LIBCMT ref: 00FBD8AD
_free.LIBCMT ref: 00FBD8B8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c32d5dcd4e2e16652645884f863a805b4f9ccf1782375f0a57dc59218e4dca28
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DF115171540B04BBD521BFB2CC47FCB7BEC6F00700F400C25B29DA6492EA69B5057E51

Function 00FEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FEDA74
LoadStringW.USER32(00000000), ref: 00FEDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FEDA91
LoadStringW.USER32(00000000), ref: 00FEDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FEDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FEDAB9

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a9d1d02e8ba50b0e3247db8edebf678664d8373f22e28de6000eb2d7ab37d247
Instruction ID: 2b627961194615aca2dfa58ab4e170faaa9556d3de7e4cbf50dc8562e9f110fd
Opcode Fuzzy Hash: a9d1d02e8ba50b0e3247db8edebf678664d8373f22e28de6000eb2d7ab37d247
Instruction Fuzzy Hash: D90162F69402087FF710ABA09E89EE7336CE708701F4008A5B786E6045EA7DDE844B74

Function 00FF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(009EE0B0,009EE0B0), ref: 00FF097B
EnterCriticalSection.KERNEL32(009EE090,00000000), ref: 00FF098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FF099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FF09A9
CloseHandle.KERNEL32(?), ref: 00FF09B8
InterlockedExchange.KERNEL32(009EE0B0,000001F6), ref: 00FF09C8
LeaveCriticalSection.KERNEL32(009EE090), ref: 00FF09CF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4d90e3ed7ad9e3c93dca51ee98be57e6b5441e6a5a97b257e8058c7abd1da392
Instruction ID: 1bfc1e0d2848a1a9d86f0d614f260419cf20d37437a70714f32bf5b4fcee58a0
Opcode Fuzzy Hash: 4d90e3ed7ad9e3c93dca51ee98be57e6b5441e6a5a97b257e8058c7abd1da392
Instruction Fuzzy Hash: 85F01D31482612BBE7615B94EF88AE67A35BF01712F401015F241508A5DB7ED565DF90

Function 01001C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01001DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01001DE1
WSAGetLastError.WSOCK32 ref: 01001DF2
htons.WSOCK32(?,?,?,?,?), ref: 01001EDB
inet_ntoa.WSOCK32(?), ref: 01001E8C

Part of subcall function 00FE39E8: _strlen.LIBCMT ref: 00FE39F2

Part of subcall function 01003224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FFEC0C), ref: 01003240

_strlen.LIBCMT ref: 01001F35

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: fa8ba8b97875b0eada16f2662e5a08d6b6f2581757e06bc1036f040b320b5816
Instruction ID: d9248fed4f691b2fc7f90b729d4eb4b73a3c4a970737832ed1c06bb91f8e5f50
Opcode Fuzzy Hash: fa8ba8b97875b0eada16f2662e5a08d6b6f2581757e06bc1036f040b320b5816
Instruction Fuzzy Hash: A3B1E130204340AFE725EF28C885E7A7BE5AF85318F54858CF5965B2E2CB75ED42CB91

Function 00F85D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F85D30
GetWindowRect.USER32(?,?), ref: 00F85D71
ScreenToClient.USER32(?,?), ref: 00F85D99
GetClientRect.USER32(?,?), ref: 00F85ED7
GetWindowRect.USER32(?,?), ref: 00F85EF8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 070347b1b5b6e07b6989ceeb77e862e25f844995be19c087b3bd13c325955bc4
Instruction ID: 467ecce3d2a6edc3cf66cda3648bf265f5efd059243e330b4f6e7ab01c9c389c
Opcode Fuzzy Hash: 070347b1b5b6e07b6989ceeb77e862e25f844995be19c087b3bd13c325955bc4
Instruction Fuzzy Hash: 6EB17935A0064ADBDB14DFA8C981BEEB7F1FF58310F14841AE8A9D7250DB34EA51EB50

Function 00FB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FB00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB00D6
__allrem.LIBCMT ref: 00FB00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB010B
__allrem.LIBCMT ref: 00FB0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0140

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: dd967dc0fedf7faf4e29295e87ae3b04c6ffec3a117871bca88d051111d98b9b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0581FC72A007069FE724AE69CC41BAB73E9AF42374F24423DF551DB281EB74D904AF50

Function 00FB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FA82D9,00FA82D9,?,?,?,00FB644F,00000001,00000001,8BE85006), ref: 00FB6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FB644F,00000001,00000001,8BE85006,?,?,?), ref: 00FB62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FB63D8
__freea.LIBCMT ref: 00FB63E5

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

__freea.LIBCMT ref: 00FB63EE
__freea.LIBCMT ref: 00FB6413

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 277fd6a88b613a92856d61fbc56b1220b8f3037cf717bccf6f5fc3c5a7a83d9d
Instruction ID: 6b23be122217a4e75ae4c1c00097aba9de27e82701deec840f7abf1e90b019d8
Opcode Fuzzy Hash: 277fd6a88b613a92856d61fbc56b1220b8f3037cf717bccf6f5fc3c5a7a83d9d
Instruction Fuzzy Hash: F351C072A00216ABEF259E66DD81EEF77A9EB44760F184629FC05D6240DB3CDC44EE60

Function 0100BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0100BD25
RegCloseKey.ADVAPI32(00000000), ref: 0100BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0100BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0100BDF3
RegCloseKey.ADVAPI32(?), ref: 0100BDFF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d62dc5dbb200156d118714fd3d522d711d291a773b9d3ae6fe6865f47c8d8826
Instruction ID: e8df63ba2b7b89f93ad08b186760909e7c19c89722f50f1c3b7ae56e1e22ab2c
Opcode Fuzzy Hash: d62dc5dbb200156d118714fd3d522d711d291a773b9d3ae6fe6865f47c8d8826
Instruction Fuzzy Hash: 9A81F434208241EFE715EF24C881E6ABBE5FF84308F14859DF5958B2A2DB35ED45CB92

Function 00FDF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00FDF7B9
SysAllocString.OLEAUT32(00000001), ref: 00FDF860
VariantCopy.OLEAUT32(00FDFA64,00000000), ref: 00FDF889
VariantClear.OLEAUT32(00FDFA64), ref: 00FDF8AD
VariantCopy.OLEAUT32(00FDFA64,00000000), ref: 00FDF8B1
VariantClear.OLEAUT32(?), ref: 00FDF8BB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 8858b3fa74ea99079ab98548defe52276138b8b38445ee930601fc36e8405d17
Instruction ID: 4b6cd6b64985c45f94e7efb81d207d904a61e0bb77de04be9e672d16d38dada5
Opcode Fuzzy Hash: 8858b3fa74ea99079ab98548defe52276138b8b38445ee930601fc36e8405d17
Instruction Fuzzy Hash: 5051C531A40310AADF20AB65DC95F29B3A6EF45310B288467E907DF395DB788C48F757

Function 00FF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FF94E5
_wcslen.LIBCMT ref: 00FF9506
_wcslen.LIBCMT ref: 00FF952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FF9585

Strings

X, xrefs: 00FF9412

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f14ef2eb013696e6f0eee1fa1988d4fb1b44b5366a901bf99b5f5075de639e73
Instruction ID: e2e091dcb8a1e237065df9d358c4ea0e532e65814f5d1f04101b96a288c24f11
Opcode Fuzzy Hash: f14ef2eb013696e6f0eee1fa1988d4fb1b44b5366a901bf99b5f5075de639e73
Instruction Fuzzy Hash: 5CE1D571908301CFD724EF24C881BAAB7E4BF85314F08856DF9899B2A2DB75DD05DB91

Function 00F9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

BeginPaint.USER32(?,?,?), ref: 00F99241
GetWindowRect.USER32(?,?), ref: 00F992A5
ScreenToClient.USER32(?,?), ref: 00F992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F992D3
EndPaint.USER32(?,?,?,?,?), ref: 00F99321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FD71EA

Part of subcall function 00F99339: BeginPath.GDI32(00000000), ref: 00F99357

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0dcd2c35ea8713dccc5907744420f8e355edd973bd3d546f189516bbf4a21bca
Instruction ID: f2ef7251fee1a654f53c3c08357ad463d7f9999d1e93089ac9bf776211a3bf52
Opcode Fuzzy Hash: 0dcd2c35ea8713dccc5907744420f8e355edd973bd3d546f189516bbf4a21bca
Instruction Fuzzy Hash: BA41B371508300AFEB21DF18C884FBB7BB9EB46320F14061DF995872E1D7799845EB61

Function 00FF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FF080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FF0847
EnterCriticalSection.KERNEL32(?), ref: 00FF0863
LeaveCriticalSection.KERNEL32(?), ref: 00FF08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FF08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF0921

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 92f2973197f48479cc055cc74637dfd009d4f9fb2ac20939ae5203806c66fb55
Instruction ID: dd5ad6b3d62723cf5af20522ac76e27432343886a8296d0356667875cda8648a
Opcode Fuzzy Hash: 92f2973197f48479cc055cc74637dfd009d4f9fb2ac20939ae5203806c66fb55
Instruction Fuzzy Hash: 9B417E71900209EBEF24AF54DC85AAA7778FF04310F1440A5ED04DA29BDB79DE54EBA4

Function 010181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FDF3AB,00000000,?,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 0101824C
EnableWindow.USER32(?,00000000), ref: 01018272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010182D1
ShowWindow.USER32(?,00000004), ref: 010182E5
EnableWindow.USER32(?,00000001), ref: 0101830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0101832F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9195e3aaf43aab520ad0a1a66623da121cb9966cad8e40b15e1f338d31aeee32
Instruction ID: 874bc26aacbcb9814f17de25eb1afdd344b99de54fefe10a656d53cf380d5250
Opcode Fuzzy Hash: 9195e3aaf43aab520ad0a1a66623da121cb9966cad8e40b15e1f338d31aeee32
Instruction Fuzzy Hash: D941DD34601644EFEB62CF18C489BE57FF0FB09714F1881E6E6984F16AC37AA541CB50

Function 010022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010022E8

Part of subcall function 00FFE4EC: GetWindowRect.USER32(?,?), ref: 00FFE504

GetDesktopWindow.USER32 ref: 01002312
GetWindowRect.USER32(00000000), ref: 01002319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01002355
GetCursorPos.USER32(?), ref: 01002381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010023DF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 1ea0bd61ecb176adb6606e0e0baaecf1341486b0f3d4f98cb200436ffbbf833c
Instruction ID: 93761171fd8205d54fd0479efbece1f1a39cbfedb8923f5cfa898eacfc8e686f
Opcode Fuzzy Hash: 1ea0bd61ecb176adb6606e0e0baaecf1341486b0f3d4f98cb200436ffbbf833c
Instruction Fuzzy Hash: 8C31C072505305AFE721DF59D848B5BBBE9FF88314F004A19F9C597181DB39EA08CB92

Function 00FE4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FE4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FE4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FE4CEA
_wcslen.LIBCMT ref: 00FE4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FE4D10
_wcsstr.LIBVCRUNTIME ref: 00FE4D1A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 754e01d4f6e0d5c5982a50ada0091e385f28d3c3c724ef9e08f1ea4855521370
Instruction ID: 1d480ea6f1d78a3ae6b1e766ad3dd2e6ccd6a634c450f2d27631eff0d4beded5
Opcode Fuzzy Hash: 754e01d4f6e0d5c5982a50ada0091e385f28d3c3c724ef9e08f1ea4855521370
Instruction Fuzzy Hash: 8D21F9726042407BFB355B3AAD49E7B7B9CDF49760F10402DF805CA192DA79EC40A7A0

Function 00FF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

_wcslen.LIBCMT ref: 00FF587B
CoInitialize.OLE32(00000000), ref: 00FF5995
CoCreateInstance.OLE32(0101FCF8,00000000,00000001,0101FB68,?), ref: 00FF59AE
CoUninitialize.OLE32 ref: 00FF59CC

Strings

.lnk, xrefs: 00FF5876, 00FF58C1, 00FF5985

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 78cfef82c8ea62a58ba3fb5ca6fff7773bb668f8cea6b168b4a8267bb01ab2cb
Instruction ID: 225ea59e9234e03f6d74aab558a7b40603d2d75754d816e7f5e3fcbe2f98861a
Opcode Fuzzy Hash: 78cfef82c8ea62a58ba3fb5ca6fff7773bb668f8cea6b168b4a8267bb01ab2cb
Instruction Fuzzy Hash: 1AD17771A047059FC714EF14C880A6ABBE1FF89B24F14485DFA899B361D735EC05DB92

Function 00FE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE0FCA
Part of subcall function 00FE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE0FD6
Part of subcall function 00FE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE0FE5
Part of subcall function 00FE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE0FEC
Part of subcall function 00FE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE1002

GetLengthSid.ADVAPI32(?,00000000,00FE1335), ref: 00FE17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FE17BA
HeapAlloc.KERNEL32(00000000), ref: 00FE17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FE17DA
GetProcessHeap.KERNEL32(00000000,00000000,00FE1335), ref: 00FE17EE
HeapFree.KERNEL32(00000000), ref: 00FE17F5

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d6b650ec47188bb99a6789e8d7307623026951a5ecea10333597c9f184627bd2
Instruction ID: 607b3edb87dfa9314ebe56d428db63aae61b4288b8a55701656dd60e36737e19
Opcode Fuzzy Hash: d6b650ec47188bb99a6789e8d7307623026951a5ecea10333597c9f184627bd2
Instruction Fuzzy Hash: 1C117C32984205EFEB249FA6CD49BAF7BA9FB46765F104118F48197200D73AE944EB60

Function 00FE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FE14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00FE1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FE1515
CloseHandle.KERNEL32(00000004), ref: 00FE1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FE154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FE1563

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 81efa7ab7f39981544991f524fe1d5950901763de613d99a85afaf95fd1ff9f0
Instruction ID: fedd3fc4857f14b48651d1cc5f1be39b998c292f3bf0ba4101af8e3cbe581ff6
Opcode Fuzzy Hash: 81efa7ab7f39981544991f524fe1d5950901763de613d99a85afaf95fd1ff9f0
Instruction Fuzzy Hash: 1B115972500249ABEF22CF99DE49BDE7BA9FF49714F044014FA05A2190C37ACE60EB60

Function 00FA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FA3379,00FA2FE5), ref: 00FA3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FA339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FA33B7
SetLastError.KERNEL32(00000000,?,00FA3379,00FA2FE5), ref: 00FA3409

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e4165cf4a42c52969869073c0aa417a4c494e799bc9a785a71d54d26544f4b46
Instruction ID: 9f1a23027430a7995c610978952c56a27d1080bddf0fffee90f08684a838e5a4
Opcode Fuzzy Hash: e4165cf4a42c52969869073c0aa417a4c494e799bc9a785a71d54d26544f4b46
Instruction Fuzzy Hash: 3D0124F3A0E3117FFB342674BEC9A673A94EB0B3793200229F410802E0EF1A4E017644

Function 00FB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FB5686,00FC3CD6,?,00000000,?,00FB5B6A,?,?,?,?,?,00FAE6D1,?,01048A48), ref: 00FB2D78
_free.LIBCMT ref: 00FB2DAB
_free.LIBCMT ref: 00FB2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FAE6D1,?,01048A48,00000010,00F84F4A,?,?,00000000,00FC3CD6), ref: 00FB2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FAE6D1,?,01048A48,00000010,00F84F4A,?,?,00000000,00FC3CD6), ref: 00FB2DEC
_abort.LIBCMT ref: 00FB2DF2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d6326ada8b77438f2b0f64625d79dea3262d363954c46743cafae3896b16bd7f
Instruction ID: 37e2e3b1e220139381d115e8a8662c8da0f5c6149c229c9c5f6c20aecec632c5
Opcode Fuzzy Hash: d6326ada8b77438f2b0f64625d79dea3262d363954c46743cafae3896b16bd7f
Instruction Fuzzy Hash: 7AF0283698560027D7A2363BBD0AEDF3569AFCA7B0F240518F86492189EE2DC9017E20

Function 01018A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F99693
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996A2
Part of subcall function 00F99639: BeginPath.GDI32(?), ref: 00F996B9
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01018A4E
LineTo.GDI32(?,00000003,00000000), ref: 01018A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01018A70
LineTo.GDI32(?,00000000,00000003), ref: 01018A80
EndPath.GDI32(?), ref: 01018A90
StrokePath.GDI32(?), ref: 01018AA0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e1c05022166b0b4180b76bd7217eb0be4c24426accbc9b0b7c5f4532c33a4de2
Instruction ID: e3e8fc3496949a78b1fad5350ab25efe0ca724544473c54435a37bafb27dbbfc
Opcode Fuzzy Hash: e1c05022166b0b4180b76bd7217eb0be4c24426accbc9b0b7c5f4532c33a4de2
Instruction Fuzzy Hash: 82111E7604010CBFEF129F94DC48F9A7FACEB05354F008451FA5596164C77A9D55DFA0

Function 00FE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FE5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FE5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE5230
ReleaseDC.USER32(00000000,00000000), ref: 00FE5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FE524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FE5261

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 01748a58c33900da33e97935e9ddf1655c80fb8ec1b0b43b3a7c3b3eaa14a8e3
Instruction ID: 76aa514c35ec603bf036c9dccfd42b80a9054a3b8384945d0e63ffcb96c24a25
Opcode Fuzzy Hash: 01748a58c33900da33e97935e9ddf1655c80fb8ec1b0b43b3a7c3b3eaa14a8e3
Instruction Fuzzy Hash: B7018F75E40708BBEB109BE69D49E5EBFB8FB48751F044065FA09A7280D675D800CBA0

Function 00F81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F81BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F81BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F81C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F81C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F81C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F81C22

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e74ee9f84faf82eabb002a28b7d717ab652cae35ede04fd1bcdb169046b6bd33
Instruction ID: c135a61075723070c8ddcf51062984046b39ede11320f0fb61e67f0214aa4124
Opcode Fuzzy Hash: e74ee9f84faf82eabb002a28b7d717ab652cae35ede04fd1bcdb169046b6bd33
Instruction Fuzzy Hash: 520167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FEEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FEEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00FEEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FEEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FEEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FEEB75

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5f84ff1282d160748d0e06d61013c1d9382bee8e1918fad1043c8c0bb9e7cba6
Instruction ID: 1a7184eaae60249d0564937fec1add804108ae502842ba73ab1a73344774bc86
Opcode Fuzzy Hash: 5f84ff1282d160748d0e06d61013c1d9382bee8e1918fad1043c8c0bb9e7cba6
Instruction Fuzzy Hash: E8F01D72581158BBE63156529D0DEAB3A7CEBCAB15F000158F641D1084D6A9AA0187B5

Function 00FD7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00FD7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00FD7469
GetWindowDC.USER32(?), ref: 00FD7475
GetPixel.GDI32(00000000,?,?), ref: 00FD7484
ReleaseDC.USER32(?,00000000), ref: 00FD7496
GetSysColor.USER32(00000005), ref: 00FD74B0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 251c45963483706635c76b87520f92099b29e85850908a907c4b19711682dba8
Instruction ID: 93412c8f9313288e3a88af091826da19048dc179ecdf05dfc383f06e4f281fc4
Opcode Fuzzy Hash: 251c45963483706635c76b87520f92099b29e85850908a907c4b19711682dba8
Instruction Fuzzy Hash: 3D01AD32440215EFEB61AF64DD08BAA7BB6FF08321F650464F955A2190CB3A5E41EB10

Function 00FE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE187F
UnloadUserProfile.USERENV(?,?), ref: 00FE188B
CloseHandle.KERNEL32(?), ref: 00FE1894
CloseHandle.KERNEL32(?), ref: 00FE189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE18A5
HeapFree.KERNEL32(00000000), ref: 00FE18AC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5d824810a9dff88c6a905cbe35fbb8243a0ddc22c4cc04a4996918196c2d35b3
Instruction ID: 6489a5bd910090da09510a1c69696e08825153bc607e75ba9152e57104ba6925
Opcode Fuzzy Hash: 5d824810a9dff88c6a905cbe35fbb8243a0ddc22c4cc04a4996918196c2d35b3
Instruction Fuzzy Hash: 88E0E536484611BBEB115FA1EE0C90ABF3AFF4AB22B108220F26581068CB7BD520DB50

Function 00FEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FEC6EE
_wcslen.LIBCMT ref: 00FEC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FEC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FEC7CA

Strings

0, xrefs: 00FEC6AF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a75c7b4fb397164ef1cb9833e94a491f764c8715c9d9f446e47674a7b44089a8
Instruction ID: d0d9fcee6c19215617e112ac0b156ddde0b2cc211733de3ce378debfb25ec4b7
Opcode Fuzzy Hash: a75c7b4fb397164ef1cb9833e94a491f764c8715c9d9f446e47674a7b44089a8
Instruction Fuzzy Hash: 5651D371A043809BD7509F2AC845B6B7BE4AF49320F040A2DF995D3190DB74DD46EBD2

Function 0100AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0100AEA3

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

GetProcessId.KERNEL32(00000000), ref: 0100AF38
CloseHandle.KERNEL32(00000000), ref: 0100AF67

Strings

<, xrefs: 0100AE6B
@, xrefs: 0100AE72

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3e7f2702da00c4031efadbd46ceec6b763a8db5de81fd1dd9ecfebbfd03b8a4c
Instruction ID: 1a518f46fbd90fa174245d66aba94ab7c50446e0b1a2d892f82bd15518ae55dc
Opcode Fuzzy Hash: 3e7f2702da00c4031efadbd46ceec6b763a8db5de81fd1dd9ecfebbfd03b8a4c
Instruction Fuzzy Hash: 85714A71A00715DFEB15EF94C884A9EBBF0BF08314F148499E856AB392C779ED45CBA0

Function 00FE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FE723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FE724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FE72CF

Strings

DllGetClassObject, xrefs: 00FE7242

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 827b2b82eb04a5f7cbdc0f9c576eb6ddf308358a45b4cec9e8588c44bde7cc17
Instruction ID: 04f0cccccf1601eea667b085dac217dd3b3d63443a6ceeb1cb91411a1e58d900
Opcode Fuzzy Hash: 827b2b82eb04a5f7cbdc0f9c576eb6ddf308358a45b4cec9e8588c44bde7cc17
Instruction Fuzzy Hash: A641BDB1A04305EFDB25DF55C884A9A7BA9EF44310F1080A9BE059F20AD7B5DD00EFA0

Function 01013D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01013E35
IsMenu.USER32(?), ref: 01013E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01013E92
DrawMenuBar.USER32 ref: 01013EA5

Strings

0, xrefs: 01013D89

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 74e800704328111f1eb1822384f40a4f0613d6968b24ca101178f0355b1a46e0
Instruction ID: 4b641d1cb754c339b522f393fabf23f60234eb8b69c138aa296399b5df62074f
Opcode Fuzzy Hash: 74e800704328111f1eb1822384f40a4f0613d6968b24ca101178f0355b1a46e0
Instruction Fuzzy Hash: A1416875A00309EFEB20DF54D884AAABBF9FF49360F044069E985AB284D739E944CF50

Function 00FE1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FE1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FE1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FE1EA9

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Strings

ListBox, xrefs: 00FE1E25
ComboBox, xrefs: 00FE1DF0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0c72c958fb1bd06fba4b8cbd329129332ac42e2ec233fd7192c43b343c21a4b2
Instruction ID: 643ca9458c078f4f206f402b33b4a59652db29fd3f52ba10861eaf53a9e21ec1
Opcode Fuzzy Hash: 0c72c958fb1bd06fba4b8cbd329129332ac42e2ec233fd7192c43b343c21a4b2
Instruction Fuzzy Hash: D7214771A00148BFEB14AB76DC49CFFB7B8EF46364B144129F821A71D1DB7D5909AB20

Function 01012F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01012F8D
LoadLibraryW.KERNEL32(?), ref: 01012F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01012FA9
DestroyWindow.USER32(?), ref: 01012FB1

Strings

SysAnimate32, xrefs: 01012F68

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9553e226d9536a04a22ff57c9f4eec58cea806637d8038136c9ae8426a2c16a5
Instruction ID: ff33edffd288a0ea6e20cc9ad562d50542e7316fdcdf541abd0799476de5aa0d
Opcode Fuzzy Hash: 9553e226d9536a04a22ff57c9f4eec58cea806637d8038136c9ae8426a2c16a5
Instruction Fuzzy Hash: DD21CD71200209AFEF214EA8DC84FBB37EDEB49364F20062CFA90D6199D779DC519760

Function 00FA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FA4D1E,00FB28E9,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002), ref: 00FA4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FA4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FA4D1E,00FB28E9,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002,00000000), ref: 00FA4DC3

Strings

mscoree.dll, xrefs: 00FA4D86
CorExitProcess, xrefs: 00FA4D98

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 85a69d6e25db7bf79085262c078ee43ac7c13ca08426342dd2a588a86d660d96
Instruction ID: ca7742a31e999728178f0a570effbfa9c9502e0f3f6b03c2046d1d3ba759b5c7
Opcode Fuzzy Hash: 85a69d6e25db7bf79085262c078ee43ac7c13ca08426342dd2a588a86d660d96
Instruction Fuzzy Hash: 0AF0C274A80218BBEB209F90DD49BADBFB4EF45721F0000A8F845A6644CF7A9E40DB90

Function 00FDD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00FDD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FDD3BF
FreeLibrary.KERNEL32(00000000), ref: 00FDD3E5

Strings

X64, xrefs: 00FDD2A8
GetSystemWow64DirectoryW, xrefs: 00FDD3B9

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 220f0f0e99bdd54533f8436176362116e959a4df00ae720143ca93a006db86bb
Instruction ID: 5b566e622cb68a211a826c90ac3be52dddad9610a8ee02806402eb256a557995
Opcode Fuzzy Hash: 220f0f0e99bdd54533f8436176362116e959a4df00ae720143ca93a006db86bb
Instruction Fuzzy Hash: 9EF0EC72CC26119BE7751620CC58E5D7325AF11756B5C815BF885E6208D738CD40A782

Function 00F84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F84EAE
FreeLibrary.KERNEL32(00000000,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84EC0

Strings

kernel32.dll, xrefs: 00F84E94
Wow64DisableWow64FsRedirection, xrefs: 00F84EA8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6dea2f3faa78d693215ac99b3141f40ba24e26ecb180d39b9f40b1601331f624
Instruction ID: b4df7fe473c65581504713358bcc2b37085fa6fd260e6d18383071949ee55c78
Opcode Fuzzy Hash: 6dea2f3faa78d693215ac99b3141f40ba24e26ecb180d39b9f40b1601331f624
Instruction Fuzzy Hash: 43E08635E825235BA3316B256818A9B6654AF82B72B050115FC40E6104DB6CDC0152A0

Function 00F84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F84E74
FreeLibrary.KERNEL32(00000000,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E87

Strings

kernel32.dll, xrefs: 00F84E5B
Wow64RevertWow64FsRedirection, xrefs: 00F84E6E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: ec1dcca079ab0cf73e78278cd033c3bc0cf01819795af62ededb6e4ceb813138
Instruction ID: ba632805ccd99eecc2c0bbce28dca03512e76135669ae3f9171b1b057f4df6e4
Opcode Fuzzy Hash: ec1dcca079ab0cf73e78278cd033c3bc0cf01819795af62ededb6e4ceb813138
Instruction Fuzzy Hash: F0D01235A826329766322B256918ECB6A18BF86B653050525B985E6108CF6DDD0197D0

Function 00FF2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF2C05
DeleteFileW.KERNEL32(?), ref: 00FF2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FF2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF2CC0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 845a6d862edc6630ff44de8c1d940e80721dc5b50eade5af5bda008e62360ae7
Instruction ID: 63efbfa0b072c59f6edf2671ddf340e0130162fdc95b651eb5c39beffff7478a
Opcode Fuzzy Hash: 845a6d862edc6630ff44de8c1d940e80721dc5b50eade5af5bda008e62360ae7
Instruction Fuzzy Hash: E2B161B2D0011DABDF21EFA4CC85EEE7B7DEF49350F1040A6F609E6151EA349A449F61

Function 0100A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0100A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0100A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0100A468
CloseHandle.KERNEL32(?), ref: 0100A63D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e97c99259ee5418eef4459be85d5f4aa74bf9c30ac6f1ab5b6b84569b89da9db
Instruction ID: 3686f39c44c24248cda4ab5f3d29283618a2652e52fa289ddf36622c9ca61e4e
Opcode Fuzzy Hash: e97c99259ee5418eef4459be85d5f4aa74bf9c30ac6f1ab5b6b84569b89da9db
Instruction Fuzzy Hash: 0EA193716043009FE720DF28DC86F2AB7E5AF88714F14885DF69A9B2D2DB75EC418B91

Function 00FBBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01023700), ref: 00FBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0105121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01051270,000000FF,?,0000003F,00000000,?), ref: 00FBBC36
_free.LIBCMT ref: 00FBBB7F

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBBD4B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2bd389b5a8526ba998461be5a0d860dc92578c9b2b43d1a1ed8fb100cbaf3936
Instruction ID: 3ab351e86a78f0ad91b39144555e5672a282184826a33a39838c8a83f835dfee
Opcode Fuzzy Hash: 2bd389b5a8526ba998461be5a0d860dc92578c9b2b43d1a1ed8fb100cbaf3936
Instruction Fuzzy Hash: C9510BB1D04209AFDB20EF66DC81AEEBBB8EF44360B10425AE454D7155EBB59E40EF50

Function 00FEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FECF22,?), ref: 00FEDDFD

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FECF22,?), ref: 00FEDE16

Part of subcall function 00FEE199: GetFileAttributesW.KERNEL32(?,00FECF95), ref: 00FEE19A

lstrcmpiW.KERNEL32(?,?), ref: 00FEE473
MoveFileW.KERNEL32(?,?), ref: 00FEE4AC
_wcslen.LIBCMT ref: 00FEE5EB
_wcslen.LIBCMT ref: 00FEE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FEE650

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 65943a36e2fe4a84f9915bc7620b3fbc81bee7ea1ec021d4b1e0be426cd8ef5e
Instruction ID: 5d117d81f70aae29c3eadeb1dba78efa017c6c82949a6c2461e26193beb93d34
Opcode Fuzzy Hash: 65943a36e2fe4a84f9915bc7620b3fbc81bee7ea1ec021d4b1e0be426cd8ef5e
Instruction Fuzzy Hash: 885196B24083855BC724EB90DC819DF73ECAF85350F00491EF589D3191EF79A6889766

Function 0100B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0100BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0100BB63
RegCloseKey.ADVAPI32(?,?), ref: 0100BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0100BBB3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a2e6108b6e692bab6637d2b5d4efca4a409bbc3011f52983d79dd8eb95d8d88e
Instruction ID: 312f7c78596755738d3f61d0aa14a76e84dcf616bcae22c56128186246cf2fa4
Opcode Fuzzy Hash: a2e6108b6e692bab6637d2b5d4efca4a409bbc3011f52983d79dd8eb95d8d88e
Instruction Fuzzy Hash: DA610334208201AFE325DF14C890E7ABBE4FF85308F14859CF0998B292DB75ED45CB92

Function 00FE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FE8BCD
VariantClear.OLEAUT32 ref: 00FE8C3E
VariantClear.OLEAUT32 ref: 00FE8C9D
VariantClear.OLEAUT32(?), ref: 00FE8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FE8D3B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3db55032a7252707c7756a15580455d63fa00fceef59c721464d449fe065927c
Instruction ID: 1fc2ba7b1c912e397c15d915fa47531143d833d4d898d7bea6f717b9aa88f084
Opcode Fuzzy Hash: 3db55032a7252707c7756a15580455d63fa00fceef59c721464d449fe065927c
Instruction Fuzzy Hash: 9F518CB5A00219EFCB10DF59C884AAAB7F5FF89310B118559F909DB354EB34E912CF90

Function 00FF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FF8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FF8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FF8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FF8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FF8C5F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b0f262359ed36705d4ee83c7827d3a79f6fcdb2b215e061475dd39efd1b358cf
Instruction ID: b457215ed9c83d1c8694e97b6631cc10569a40db63e074842f0a31670e9f0656
Opcode Fuzzy Hash: b0f262359ed36705d4ee83c7827d3a79f6fcdb2b215e061475dd39efd1b358cf
Instruction Fuzzy Hash: 47515035A002199FDB14EF54C881EADBBF5FF48314F088058E949AB362CB35ED41DBA0

Function 01008EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01008F40
GetProcAddress.KERNEL32(00000000,?), ref: 01008FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01008FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01009032
FreeLibrary.KERNEL32(00000000), ref: 01009052

Part of subcall function 00F9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FF1043,?,75C0E610), ref: 00F9F6E6
Part of subcall function 00F9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FDFA64,00000000,00000000,?,?,00FF1043,?,75C0E610,?,00FDFA64), ref: 00F9F70D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: c37e62403c48105f0ffe5bfffbd63c54dfe1ec796b0db3c9c8af93fb79dcb34c
Instruction ID: 70fc0ce73d3112a3c74fae6123e35edc586e50a723224800a23428d70574e999
Opcode Fuzzy Hash: c37e62403c48105f0ffe5bfffbd63c54dfe1ec796b0db3c9c8af93fb79dcb34c
Instruction Fuzzy Hash: 9B515E34A05205DFD716EF68C4848ADBBF1FF49314F0880A9E9499B3A2DB35ED85CB90

Function 01016B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01016C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01016C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01016C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FFAB79,00000000,00000000), ref: 01016C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01016CC7

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 50b9933c4838c458a34e8d3fc4d3f49ee40da2e81661d5db6e174caed99cb48e
Instruction ID: c22f56a399594d57bd843b5224ecbbb06beea76a6700275ae75f5def2bf764aa
Opcode Fuzzy Hash: 50b9933c4838c458a34e8d3fc4d3f49ee40da2e81661d5db6e174caed99cb48e
Instruction Fuzzy Hash: 2141A135A00108AFE7248E68CD54BBA7FE5EB09350F0502A8F995A7298C3BAED41CA40

Function 00FB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB20C3
_free.LIBCMT ref: 00FB20E3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e6c8f50a3451af0b2a3fb7e419364829a669359c11c13fab982e25c3296aca8
Instruction ID: 400b6f76bcece783d89050dad40d34e1e7be183a82b6a8fb130dd1d31e650adf
Opcode Fuzzy Hash: 5e6c8f50a3451af0b2a3fb7e419364829a669359c11c13fab982e25c3296aca8
Instruction Fuzzy Hash: 2F41E276E00200AFDB20EF79C980A9DB7B5EF89320F154569E515EB355DB31AD01EF80

Function 00F9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F99141
ScreenToClient.USER32(00000000,?), ref: 00F9915E
GetAsyncKeyState.USER32(00000001), ref: 00F99183
GetAsyncKeyState.USER32(00000002), ref: 00F9919D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 581f06b5a20ce2f053f0c0e0a0893612fd09ff583f7315621e77e212e786bee9
Instruction ID: da26b5f5369d87f7d2a5adf0f69f9537dda5a0347a8ebcf66def6a30e03e1824
Opcode Fuzzy Hash: 581f06b5a20ce2f053f0c0e0a0893612fd09ff583f7315621e77e212e786bee9
Instruction Fuzzy Hash: 2841AF3190820AEBDF15AF68C844BEEB775FB05334F24431AE425A6290D7745990EB51

Function 00FF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FF38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FF3922
TranslateMessage.USER32(?), ref: 00FF394B
DispatchMessageW.USER32(?), ref: 00FF3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF3966

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3afb2c593c39824ae9d56f7851d877bc90d632a38c9aa952fa3f55bb5a495fba
Instruction ID: 62cc494c8aae053b25d3b48acb3320e27541e28f2de6281f4bccd44fc28a25cf
Opcode Fuzzy Hash: 3afb2c593c39824ae9d56f7851d877bc90d632a38c9aa952fa3f55bb5a495fba
Instruction Fuzzy Hash: 8131E971D4434AEEEB35CB34D448BB737A9AF05354F04055DE6A2C21A4E3FD9A84EB11

Function 00FFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FFCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCFF2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 092a5d7fbb21c1931fba4d3c057124c66a3eccded5a0920fa9de8695ca433af0
Instruction ID: 918804197faae8e02017a141549f05da4585ad296b009ae80d35e3bec78acf6d
Opcode Fuzzy Hash: 092a5d7fbb21c1931fba4d3c057124c66a3eccded5a0920fa9de8695ca433af0
Instruction Fuzzy Hash: E531737190021DAFEB20DFA5CA84ABBB7F9EF04310B10442EF656D2150D735ED41EBA0

Function 00FE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FE19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00FE19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FE19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FE19E2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dc06742104bed5cbdb3aac82756f1ffbb7bd58caf7cc45024ad323dc78cb3538
Instruction ID: 853bf5bab961057bbf7c2cafbb204e0dc890a02423e30d1cb714225f40f2478a
Opcode Fuzzy Hash: dc06742104bed5cbdb3aac82756f1ffbb7bd58caf7cc45024ad323dc78cb3538
Instruction Fuzzy Hash: 2931E272900259EFDB10CFA9C998ADE3BB5FB04324F004225F961A72C1C374E944DB90

Function 01015706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01015745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0101579D
_wcslen.LIBCMT ref: 010157AF
_wcslen.LIBCMT ref: 010157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01015816

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b04964b7c5bb43632ab39a7ee8892886a4e4b0e74bed246aac5375b0901cdee6
Instruction ID: d2c565ff0f1cbe3cce1a7c3a37dd69ecf3a228943542db714a1ae3369cee2e3b
Opcode Fuzzy Hash: b04964b7c5bb43632ab39a7ee8892886a4e4b0e74bed246aac5375b0901cdee6
Instruction Fuzzy Hash: CC21B9719002189BDB209F64DC85AEE7BB8FF86328F004156EA59EF188D7789585CF50

Function 01000930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01000951
GetForegroundWindow.USER32 ref: 01000968
GetDC.USER32(00000000), ref: 010009A4
GetPixel.GDI32(00000000,?,00000003), ref: 010009B0
ReleaseDC.USER32(00000000,00000003), ref: 010009E8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3f3510f09666317401fa4dc39487d031dc42e6a10b5daa38f44cff1c5ff599cd
Instruction ID: 992916b67256ba7024998d2985d8f0b062c8c91ec567fe072713813c0e0535df
Opcode Fuzzy Hash: 3f3510f09666317401fa4dc39487d031dc42e6a10b5daa38f44cff1c5ff599cd
Instruction Fuzzy Hash: E321A135600204AFE714EF64C984AAEBBE5FF48740F048468F98A97365CB39EC04DB50

Function 00FBCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FBCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FBCDE9

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FBCE0F
_free.LIBCMT ref: 00FBCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FBCE31

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 2affc8699f9602bd3f298e5f244066e37a115f334a79598e271ad92616836245
Instruction ID: 3c3ba769e54f6513668fab9bc9b96d6872d136a725154afd699c2424cfb29e4a
Opcode Fuzzy Hash: 2affc8699f9602bd3f298e5f244066e37a115f334a79598e271ad92616836245
Instruction Fuzzy Hash: 44018872A42215BF332125776C48DBB796DDEC6BA13150129F905DB204DA69CD01AAF0

Function 00F99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F99693
SelectObject.GDI32(?,00000000), ref: 00F996A2
BeginPath.GDI32(?), ref: 00F996B9
SelectObject.GDI32(?,00000000), ref: 00F996E2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fca23fa8955772a4aaf73d6f9026e8c46f3dded8dba1da88ee063362e2ad4c2b
Instruction ID: 201575bc7e4c44301a7ab8422a28d4b54b7401af8659660b69de33090c35c4e3
Opcode Fuzzy Hash: fca23fa8955772a4aaf73d6f9026e8c46f3dded8dba1da88ee063362e2ad4c2b
Instruction Fuzzy Hash: 2521C571815305EFFF219F68E9047AA3B79FB11321F11021AF491961D8D3BA9891DF90

Function 00FE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FE5726
_memcmp.LIBVCRUNTIME ref: 00FE5744
_memcmp.LIBVCRUNTIME ref: 00FE5757
_memcmp.LIBVCRUNTIME ref: 00FE576F
_memcmp.LIBVCRUNTIME ref: 00FE5787

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4abe7a3fdee2c576c70d349f8808c762693043d0e0615a9417e5429fa4b5e798
Instruction ID: a5d39e7ae2ebf2c94adf20cd8bbcbfbd98c8002750a7744986558d2fccb2b9e3
Opcode Fuzzy Hash: 4abe7a3fdee2c576c70d349f8808c762693043d0e0615a9417e5429fa4b5e798
Instruction Fuzzy Hash: 0B01B5A664174EFBD60895139E92FBB735CAB61BACF014024FD049E241F764ED24A2E0

Function 00FB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FAF2DE,00FB3863,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6), ref: 00FB2DFD
_free.LIBCMT ref: 00FB2E32
_free.LIBCMT ref: 00FB2E59
SetLastError.KERNEL32(00000000,00F81129), ref: 00FB2E66
SetLastError.KERNEL32(00000000,00F81129), ref: 00FB2E6F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38c094241bdf5c50c0692fb0b5f805aae0b9ca4793922ed23ec8b6a5831b0142
Instruction ID: e183efd626bf8310a65a164d937418d92e4f463a80db6adf3fe9bd3df1d1279b
Opcode Fuzzy Hash: 38c094241bdf5c50c0692fb0b5f805aae0b9ca4793922ed23ec8b6a5831b0142
Instruction Fuzzy Hash: 3C01287668560077E763263B6D85EEF366DBBC53B1B244428F865A2186EF3DCC017E20

Function 00FE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?,?,00FE035E), ref: 00FE002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?), ref: 00FE0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0070

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 649d4bab776c3b38c34ff38716f7dc25adf018eb4d823d0e04348b9fab49ba64
Instruction ID: b44c098a6fa621846039909e7c953eef9139a9be659518d2cd16d69022328682
Opcode Fuzzy Hash: 649d4bab776c3b38c34ff38716f7dc25adf018eb4d823d0e04348b9fab49ba64
Instruction Fuzzy Hash: 8101A772640205BFEB205F6ADD44BAA7AEDEF44761F144114FE45D2204DBB9DD809760

Function 00FEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FEE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00FEE9A5
Sleep.KERNEL32(00000000), ref: 00FEE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00FEE9B7
Sleep.KERNEL32 ref: 00FEE9F3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4cc1f0205f5ecded0a615e64eccbf6a7c13c85c213b995c629b9a564d500a20e
Instruction ID: 84198e97c9e104bc9ddadadd85d1b334e2dbdfcee22911dd6323035dbcd58a12
Opcode Fuzzy Hash: 4cc1f0205f5ecded0a615e64eccbf6a7c13c85c213b995c629b9a564d500a20e
Instruction Fuzzy Hash: 67018C31D4162DDBDF10AFE6E949AEDBBB8FF09310F000556E542B2245CB399550DBA1

Function 00FE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE114D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ce06ba6583f880cc6a476fcbddc1977af2ada55c63f3992a8c16417a23269da8
Instruction ID: 0aa62f4c7c2da2dc9889e3454ebc3b9f3bbc6acaae780d5c84e24405cd49bea0
Opcode Fuzzy Hash: ce06ba6583f880cc6a476fcbddc1977af2ada55c63f3992a8c16417a23269da8
Instruction Fuzzy Hash: CC016D79540305BFEB214F66DD49A6A3B6EFF86360B100414FA81C3350DA7ADC009B60

Function 00FE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE1002

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0f12b9f94067c212ae2decc3948cbf510f8a294137657ff429d7dfdb06e1d5b8
Instruction ID: 90058e65cd77ac95c70d569a448f421c407587b04718db5b83ef6a23b5c038d7
Opcode Fuzzy Hash: 0f12b9f94067c212ae2decc3948cbf510f8a294137657ff429d7dfdb06e1d5b8
Instruction Fuzzy Hash: 12F0C239180341ABE7210FA6DD4DF563B6EFF8A761F110414FA85C7284CA39DC408B60

Function 00FE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1062

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7487e1be37586cd6998b3afc873cad626359894f488672169a2b6db6997c43d4
Instruction ID: 46d676aec95885f8207515124088171c28582ce2e836e8db0850cb7b79128802
Opcode Fuzzy Hash: 7487e1be37586cd6998b3afc873cad626359894f488672169a2b6db6997c43d4
Instruction Fuzzy Hash: 69F06239180351ABE7225FA6ED49F563B6EFF8A761F110414FA85C7240CA79D9508B60

Function 00FF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0324
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0331
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF033E
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF034B
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0358
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0365

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 81622ea7cb5b9b2e78448129742018577ccf8daec46d11f54acbf7d04b2361b2
Instruction ID: b7303cc416f3a5bb30950ab289a7e821c8206e3aa4ff2b1015c46e55c0063959
Opcode Fuzzy Hash: 81622ea7cb5b9b2e78448129742018577ccf8daec46d11f54acbf7d04b2361b2
Instruction Fuzzy Hash: 9401A272800B199FC7309F66D880822F7F5BF507253158A3FD29652932C7B1A954DF80

Function 00FBD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FBD752

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBD764
_free.LIBCMT ref: 00FBD776
_free.LIBCMT ref: 00FBD788
_free.LIBCMT ref: 00FBD79A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2adc215e0668531fcf3d2dcd3898e1f5ee7ebd35bdc621a48acf9c3b1c70754
Instruction ID: efa9535809ff424607aa8138d7cd89576f2b876d106b2d93de831a418ad929cc
Opcode Fuzzy Hash: f2adc215e0668531fcf3d2dcd3898e1f5ee7ebd35bdc621a48acf9c3b1c70754
Instruction Fuzzy Hash: 98F068769012047B9765EA5AFAC5CD677EDBB043307A40C09F048D7505DB39FC406F65

Function 00FE5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FE5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FE5C6F
MessageBeep.USER32(00000000), ref: 00FE5C87
KillTimer.USER32(?,0000040A), ref: 00FE5CA3
EndDialog.USER32(?,00000001), ref: 00FE5CBD

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 87fe08e06caaf2f9b54a6aad06686e05b5dee814d7e592cd0bc2cf8bce42eba2
Instruction ID: 7a96187b4be9082a0d626c1c50c5f04bf05bdb30cae0ffcfc886d3e7966d5ebd
Opcode Fuzzy Hash: 87fe08e06caaf2f9b54a6aad06686e05b5dee814d7e592cd0bc2cf8bce42eba2
Instruction Fuzzy Hash: 6E01D130540B04ABFB305B25EE5EFA677B8BF08B09F040559A283A10D1DBF9B984DB91

Function 00FB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB22BE

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FB22D0
_free.LIBCMT ref: 00FB22E3
_free.LIBCMT ref: 00FB22F4
_free.LIBCMT ref: 00FB2305

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 049684007fe95691d02026dbd6550e1814b25ed39376c4ba9fdbb46a01ecd234
Instruction ID: 07784d4652b979e0ae00d223379c0116b391a246940a2eaf20edcac57bd31039
Opcode Fuzzy Hash: 049684007fe95691d02026dbd6550e1814b25ed39376c4ba9fdbb46a01ecd234
Instruction Fuzzy Hash: 0DF054F48013109BA7A2AF59F94199E3B78F7187A0B000A0AF498D2A6DC73F0411BFE5

Function 00F995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F995D4
StrokeAndFillPath.GDI32(?,?,00FD71F7,00000000,?,?,?), ref: 00F995F0
SelectObject.GDI32(?,00000000), ref: 00F99603
DeleteObject.GDI32 ref: 00F99616
StrokePath.GDI32(?), ref: 00F99631

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ee03a35969b0e524a2dae65677f59d89135b5423dcd96566c695e3fa3b178a62
Instruction ID: e50202f537ea208df8e157d79f1d4eb0da58dd39a9763d086c1895124276710b
Opcode Fuzzy Hash: ee03a35969b0e524a2dae65677f59d89135b5423dcd96566c695e3fa3b178a62
Instruction Fuzzy Hash: 86F031314493049BEB365F59E90C7AA3B71A701332F058218F4D5550E8C77E8951DF64

Function 00FB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FB10F9
__freea.LIBCMT ref: 00FB1117

Part of subcall function 00FB1537: _free.LIBCMT ref: 00FB154F

Strings

a/p, xrefs: 00FB11DE
am/pm, xrefs: 00FB117A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4911523b3de26c763970c8d9aeb2d59fb9b7eef56c94d05f14b70d6ab66a4c9f
Instruction ID: 26d5ddcce5afc944df96b5a7dba41fd954ea79af5c1b2feeaa28347c5f870f29
Opcode Fuzzy Hash: 4911523b3de26c763970c8d9aeb2d59fb9b7eef56c94d05f14b70d6ab66a4c9f
Instruction Fuzzy Hash: 63D11532D00206CADB249F6AC865BFEB7F4FF06320FA80159E9019B650E7759D80EF91

Function 01007B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FA0242: EnterCriticalSection.KERNEL32(0105070C,01051884,?,?,00F9198B,01052518,?,?,?,00F812F9,00000000), ref: 00FA024D
Part of subcall function 00FA0242: LeaveCriticalSection.KERNEL32(0105070C,?,00F9198B,01052518,?,?,?,00F812F9,00000000), ref: 00FA028A

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FA00A3: __onexit.LIBCMT ref: 00FA00A9

__Init_thread_footer.LIBCMT ref: 01007BFB

Part of subcall function 00FA01F8: EnterCriticalSection.KERNEL32(0105070C,?,?,00F98747,01052514), ref: 00FA0202
Part of subcall function 00FA01F8: LeaveCriticalSection.KERNEL32(0105070C,?,00F98747,01052514), ref: 00FA0235

Strings

G, xrefs: 01007C7F
5, xrefs: 01007C78
Variable must be of type 'Object'., xrefs: 01007C3A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 131b8cb1ea8a67b5690074d7c17844ae0b3a77b32b89f5f122b36915682e1cf1
Instruction ID: da0a9ae3429a694b88a486d699550124423b6ac36fced5458c70cd6b78329a2a
Opcode Fuzzy Hash: 131b8cb1ea8a67b5690074d7c17844ae0b3a77b32b89f5f122b36915682e1cf1
Instruction Fuzzy Hash: 5D918F71A00209EFEB16EF58D890DADB7B1FF45304F04809DF9865B291DB79AE41CB51

Function 00FE2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE21D0,?,?,00000034,00000800,?,00000034), ref: 00FEB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FE2760

Part of subcall function 00FEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00FEB3F8

Part of subcall function 00FEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00FEB355
Part of subcall function 00FEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FE2194,00000034,?,?,00001004,00000000,00000000), ref: 00FEB365
Part of subcall function 00FEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FE2194,00000034,?,?,00001004,00000000,00000000), ref: 00FEB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE281A

Strings

@, xrefs: 00FE2832

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3fa6c3312649f31cf08643f79a72a3e70e9a5c2a7329d72a9e48ae5541586549
Instruction ID: 57ed32bf5fe704099e99703a9546ef27ca9ecf44decb9574bc0d278edf509007
Opcode Fuzzy Hash: 3fa6c3312649f31cf08643f79a72a3e70e9a5c2a7329d72a9e48ae5541586549
Instruction Fuzzy Hash: 8C413C72D00218AFDB10DFA5CD86AEEBBB8EF09310F004095FA55B7181DB756E45DBA1

Function 00FB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FB1769
_free.LIBCMT ref: 00FB1834
_free.LIBCMT ref: 00FB183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FB1760, 00FB1767, 00FB1796, 00FB17CE

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 179deccf77ad450ce654871619fef9020a9ecb23b5b565fe9d47d8603ee57281
Instruction ID: e93fe84f33fd77e8ae6bc028c5f4a9886e0a7dc9b495c5c74c00fe5c96d876ff
Opcode Fuzzy Hash: 179deccf77ad450ce654871619fef9020a9ecb23b5b565fe9d47d8603ee57281
Instruction Fuzzy Hash: F6316175E40218ABDB21DF9A9895EDFBBFCFB85360B644166F804D7201DA748A40EF90

Function 00FEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FEC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00FEC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01051990,009F4C08), ref: 00FEC395

Strings

0, xrefs: 00FEC2DF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a8727a982a8c7165b79a9231f263872a2666dc2319a1c571c9b682367441f753
Instruction ID: ab1e982cbd5d66af0a1bdc3228fa71fea2a70a5d92c16a0f7f839187a878efe5
Opcode Fuzzy Hash: a8727a982a8c7165b79a9231f263872a2666dc2319a1c571c9b682367441f753
Instruction Fuzzy Hash: 1641C3316043819FD720DF26DC44F5ABBE8AF85320F04861DF9A5972D1D774E905EBA2

Function 01014416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0101CC08,00000000,?,?,?,?), ref: 010144AA
GetWindowLongW.USER32 ref: 010144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010144D7

Strings

SysTreeView32, xrefs: 0101447C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 17f5a0b2861b9659a8b3eaa08951f671725a79df553299569f3a79ee87fabd72
Instruction ID: 79be8c41981d23cca52322fd8478d1d2368a5e4f949b110995c5e1b7b66294c7
Opcode Fuzzy Hash: 17f5a0b2861b9659a8b3eaa08951f671725a79df553299569f3a79ee87fabd72
Instruction Fuzzy Hash: 6031AD71240205AFEF619E38DC45BEA7BA9EB08334F204725F9B5D21E5DB78E8509B50

Function 0100304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01003077,?,?), ref: 01003378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0100307A
_wcslen.LIBCMT ref: 0100309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01003106

Strings

255.255.255.255, xrefs: 01003095, 0100309A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 746285b0630b1039c2d077f0f34c17619d36a84ae130bfdb701eabbded104f33
Instruction ID: c2806a45eb9753af2fc7be81a02aaf69a81265579772eefbccb08c1d3d76c0ec
Opcode Fuzzy Hash: 746285b0630b1039c2d077f0f34c17619d36a84ae130bfdb701eabbded104f33
Instruction Fuzzy Hash: 7331C1352042019FE722CF28C595AAA7BF0FF14314F148099E9958F3D2D776E941C760

Function 01013EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01013F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01013F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01013F78

Strings

SysMonthCal32, xrefs: 01013F0B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3a418ff386ed73066a3b96c71bfd08b61f9d5e7d7df24ca7479317bd80345735
Instruction ID: 2fca1668ee550d72762b546d31ba65ef18b3ad99edb6327e243a1d67688f94b5
Opcode Fuzzy Hash: 3a418ff386ed73066a3b96c71bfd08b61f9d5e7d7df24ca7479317bd80345735
Instruction Fuzzy Hash: 97219132600219BFEF229E54DC46FEA3BB5FB48724F110258FA956B1C4D6B9E854CB90

Function 01014653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01014705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01014713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0101471A

Strings

msctls_updown32, xrefs: 01014684

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c5ea19395fd917fef92d24afdec16bd805b774ff685830cc03db8e9b25265b60
Instruction ID: 2ae7d9f4d5ac25614875126e6ea2ad7ebc823f504e3181bf71b298076d90f4a2
Opcode Fuzzy Hash: c5ea19395fd917fef92d24afdec16bd805b774ff685830cc03db8e9b25265b60
Instruction Fuzzy Hash: 382160B5600209AFEB11DF68DCC1DA737EDEB4A798B040459FA40DB265CB79EC11DB60

Function 00FE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE961D

Strings

#requireadmin, xrefs: 00FE95D9
#notrayicon, xrefs: 00FE95B7
#OnAutoItStartRegister, xrefs: 00FE95F3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1bc501321ffc9e2fd22bda6e40acd771ad288bbc758f4ce3673516bfe75f7f3e
Instruction ID: 2dce648fd734a12faf3cd1cea79635e3650eb189c2389362bf21c6c9e0efb823
Opcode Fuzzy Hash: 1bc501321ffc9e2fd22bda6e40acd771ad288bbc758f4ce3673516bfe75f7f3e
Instruction Fuzzy Hash: 1A216B7260869166C331BB26DC02FBB73D89F51310F14442AF94597041EBD89D45E3B1

Function 010137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01013840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01013850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01013876

Strings

Listbox, xrefs: 0101380F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 28cbb0448a90398ff784e54e9b1edafdf3a42126d4644bc296cc08d1c96c1658
Instruction ID: ba69eba6c70ad4c3d66318166053d88a0f6e3dc855152ec1d7c0258ba245eb1a
Opcode Fuzzy Hash: 28cbb0448a90398ff784e54e9b1edafdf3a42126d4644bc296cc08d1c96c1658
Instruction Fuzzy Hash: 8421D7726002187BEF228F58CC41FBB37AEFF89760F108164F9809B194C679DC518790

Function 00FF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FF4A5C
SetErrorMode.KERNEL32(00000000,?,?,0101CC08), ref: 00FF4AD0

Strings

%lu, xrefs: 00FF4A6F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d4bd75f9f967e887122bcf20e51f35dc8ece242e05e3364a0fc24d64f75c198d
Instruction ID: 30aec93f39265bb9973f5741722879c460770641affa9c6139ac5ad0a25aa77a
Opcode Fuzzy Hash: d4bd75f9f967e887122bcf20e51f35dc8ece242e05e3364a0fc24d64f75c198d
Instruction Fuzzy Hash: E1319171A40109AFDB10DF54C981EAA7BF8EF09308F1480A8F909DF262D779ED45DB61

Function 010141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0101424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01014264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01014271

Strings

msctls_trackbar32, xrefs: 01014226

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 35a2491decd2e26539196b2544eaec548c0d948da663914ad4dcc479624eb9f9
Instruction ID: 2843e8f49e78ea164d3ee5cf5b1eb98db6c4eb0e5abef0222b0f22094b7593ea
Opcode Fuzzy Hash: 35a2491decd2e26539196b2544eaec548c0d948da663914ad4dcc479624eb9f9
Instruction Fuzzy Hash: FC11C271240248BEEF315E69CC46FEB3BECEF89B64F110524FA95E60A4D376D8519B20

Function 00FE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Part of subcall function 00FE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FE2DC5
Part of subcall function 00FE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE2DD6
Part of subcall function 00FE2DA7: GetCurrentThreadId.KERNEL32 ref: 00FE2DDD
Part of subcall function 00FE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FE2DE4

GetFocus.USER32 ref: 00FE2F78

Part of subcall function 00FE2DEE: GetParent.USER32(00000000), ref: 00FE2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00FE2FC3
EnumChildWindows.USER32(?,00FE303B), ref: 00FE2FEB

Strings

%s%d, xrefs: 00FE2FFF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 99f67ed4b9ab045f467541d2a2c15e0d5ff1e3620ff11ff37f6ddd377dc0a593
Instruction ID: dba69f03852cf2d986228a548f7187dd836a6c8aeac4af6ca759dcb7f1b2c3da
Opcode Fuzzy Hash: 99f67ed4b9ab045f467541d2a2c15e0d5ff1e3620ff11ff37f6ddd377dc0a593
Instruction Fuzzy Hash: 0C11E4B16002456BDF507F718C89EEE376AAF84318F044075FA09DB143EE389909AB60

Function 01015882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010158EE
DrawMenuBar.USER32(?), ref: 010158FD

Strings

0, xrefs: 0101588F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: fb3d2e49a8c427de2d6d7acd7becf0328033e39d147dcac4d06acd88785eeaef
Instruction ID: 68e9a51af2ce2434c05f99cd688aa2a3adde26a833821cb98a19bd3bc97ea020
Opcode Fuzzy Hash: fb3d2e49a8c427de2d6d7acd7becf0328033e39d147dcac4d06acd88785eeaef
Instruction Fuzzy Hash: 9D0188315002189FEB619F15DC44BAFBBB5FF86364F008095F889DA155DB388684DF21

Function 00FE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c64d6db9f21bc1f8bd1c401970cf012a62992dae983d13b09d6bcd928e19850
Instruction ID: 1cb8ce0aad8f9cd326da99d2928df539abd799a46ea60c37c12221b1f27de480
Opcode Fuzzy Hash: 6c64d6db9f21bc1f8bd1c401970cf012a62992dae983d13b09d6bcd928e19850
Instruction Fuzzy Hash: C4C16A75A0024AEFDB14CFA5C884BAEB7B5FF48314F208598E505EB251CB71EE81DB90

Function 00FB3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FB3F0B
__alldvrm.LIBCMT ref: 00FB410C
__alldvrm.LIBCMT ref: 00FB412E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1c2fedcb1e3fad0668ecde056187d21f1c8a6184fa5d4241a044696a57457ae4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 3FA14872E003869FDB16DE19CD917FEBBE4EF613A0F14416DE5859B282C238A941EF50

Function 0100342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01003459
CoUninitialize.OLE32 ref: 01003463
VariantInit.OLEAUT32(?), ref: 0100346E
VariantClear.OLEAUT32(?), ref: 0100371B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3cc52fbd5f024aa999fff024ed45213cedc09d4a3a9f067df28b658d692fa3e2
Instruction ID: b8f04d08e4456220a8ac7aacea46e9434148a78d7985e44c3ee40c5ac375bb22
Opcode Fuzzy Hash: 3cc52fbd5f024aa999fff024ed45213cedc09d4a3a9f067df28b658d692fa3e2
Instruction Fuzzy Hash: 9AA15D756043009FD712EF28C885A6ABBE5FF88714F048859F9899F3A2DB35ED01CB91

Function 00FE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0101FC08,?), ref: 00FE05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0101FC08,?), ref: 00FE0608
CLSIDFromProgID.OLE32(?,?,00000000,0101CC40,000000FF,?,00000000,00000800,00000000,?,0101FC08,?), ref: 00FE062D
_memcmp.LIBVCRUNTIME ref: 00FE064E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6ace6f63c94851e568d67dea472d0dd3e63b2fddf658be7b79ccaad01d7279e8
Instruction ID: 17546bbb44dd399b4bc6f476ba3dc4311c6894b4c0e2e3b703205fe30eca5544
Opcode Fuzzy Hash: 6ace6f63c94851e568d67dea472d0dd3e63b2fddf658be7b79ccaad01d7279e8
Instruction Fuzzy Hash: 53813971A00209EFCB04DF94C984EEEB7B9FF89315F244158E506AB250DB75AE46DF60

Function 0100A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0100A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0100A6BA

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Process32NextW.KERNEL32(00000000,?), ref: 0100A79C
CloseHandle.KERNEL32(00000000), ref: 0100A7AB

Part of subcall function 00F9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FC3303,?), ref: 00F9CE8A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5a8f6900ab25555f0bb9ca34b03eb6bab0f1a7d708b1dd1b36916cb3500f1d8d
Instruction ID: 089d29b7b33a654ec9bfc0a18cb0a42654afb88d688ced576df912479044f959
Opcode Fuzzy Hash: 5a8f6900ab25555f0bb9ca34b03eb6bab0f1a7d708b1dd1b36916cb3500f1d8d
Instruction Fuzzy Hash: BA515C71608301AFE710EF24CC86A6BBBE8FF89754F40891DF58597291EB35D904DB92

Function 00FC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC14C0

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ffb5f37c8e7366377198cb844894af50288b10c33368dc0c4701fd5ab2640b18
Instruction ID: 418da5ef48fd8959dc257b062bc351fa9a8bea58c2be8300f8be3fd8cb56ada8
Opcode Fuzzy Hash: ffb5f37c8e7366377198cb844894af50288b10c33368dc0c4701fd5ab2640b18
Instruction Fuzzy Hash: 42415D71900102ABDB29FAF98D47FAE3AE5FF43370F144629F419D6193E63C48217661

Function 01016278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010162E2
ScreenToClient.USER32(?,?), ref: 01016315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01016382

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 233a2cd7585d33e96be01633f2ea593d30b284ff9173894fe29c14fb2af86250
Instruction ID: 9bc80ffe8d1b9b94655d5927732736106eeb5fb97bfcc80694a77d2c3af98fe5
Opcode Fuzzy Hash: 233a2cd7585d33e96be01633f2ea593d30b284ff9173894fe29c14fb2af86250
Instruction Fuzzy Hash: 67518E74A00209EFDF21DF58C880AAE7BF5FF45360F108199F89497295D77AE941CB50

Function 01001AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01001AFD
WSAGetLastError.WSOCK32 ref: 01001B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01001B8A
WSAGetLastError.WSOCK32 ref: 01001B94

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 169044488af5f8ff7ea2819b3dd3ad94a14f2b3979d9cc7570e8ea72d7592975
Instruction ID: 6fcb68c1ac3c3d305a15587e269114eab06c9805ee430aa0817c76ac8ae360b0
Opcode Fuzzy Hash: 169044488af5f8ff7ea2819b3dd3ad94a14f2b3979d9cc7570e8ea72d7592975
Instruction Fuzzy Hash: 7C41B334640600AFF721AF28C886F6977E5AF44718F548488FA5A9F7C2D776DD41CB90

Function 00FBB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bee8ba0a9f6c6379a3e6ebd330533409251dea83d824170d2547c5a30f1a29
Instruction ID: 47e47f66ce000f3b1d661fecc5b92edc84b79a3c635a52cc35abcd5f878c1087
Opcode Fuzzy Hash: 52bee8ba0a9f6c6379a3e6ebd330533409251dea83d824170d2547c5a30f1a29
Instruction Fuzzy Hash: B2410A71A00704EFD724DF79CC41BAA7BE9FB85720F10462EF145DB282D7B5A9019B90

Function 00FF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FF5783
GetLastError.KERNEL32(?,00000000), ref: 00FF57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FF57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FF57FA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8f3dd6c239897c31b36ef8f46782d4451ab80d176751d4612e43526940c7f151
Instruction ID: c6056ed78a87cba101b3cc8ac617c80f9e91d87a387a80662f42af1f2b696f65
Opcode Fuzzy Hash: 8f3dd6c239897c31b36ef8f46782d4451ab80d176751d4612e43526940c7f151
Instruction Fuzzy Hash: 0D414D35600614DFCB10EF15C545A5DBBE1FF49720B188488E95A9F366CB39FD00EBA1

Function 00FBD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FA6D71,00000000,00000000,00FA82D9,?,00FA82D9,?,00000001,00FA6D71,8BE85006,00000001,00FA82D9,00FA82D9), ref: 00FBD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FBD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FBD9AB
__freea.LIBCMT ref: 00FBD9B4

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6823ebdaea6ef6753d970d38cb97289088a688fc6ce672ec273b4127e2768f28
Instruction ID: 7ce826119543983645742a123f2fce948a9d65f75747e2b1166970b4c9c6133e
Opcode Fuzzy Hash: 6823ebdaea6ef6753d970d38cb97289088a688fc6ce672ec273b4127e2768f28
Instruction Fuzzy Hash: 3031CD72A0020AABDF24DF66DC81EEE7BA5EB41320F054168FC04D7250EB39DD50EBA1

Function 010152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01015352
GetWindowLongW.USER32(?,000000F0), ref: 01015375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01015382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010153A8

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e04ab493295990ae51fdc38eabe7621ddbf6e2112f587dfbeca86981e271d2b4
Instruction ID: 17917a34760a3412c8fda538652b736c7b9d4dbf89c0dd999d894f63fd36dca7
Opcode Fuzzy Hash: e04ab493295990ae51fdc38eabe7621ddbf6e2112f587dfbeca86981e271d2b4
Instruction Fuzzy Hash: 7E31C434A55208EFFB748E18CC05BE93BA5AB86310F488142FAD09B1D9C7FD99409B42

Function 00FEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00FEABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FEAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FEAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00FEACC6

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4190cac5a2a7348dafe06619ea7353b17e425cf2873b553852e5c15d8fcace5b
Instruction ID: 2fdc278eda542ddfc30c0b0d7aae412da7bb550ce3da955aab1493aaa24e2857
Opcode Fuzzy Hash: 4190cac5a2a7348dafe06619ea7353b17e425cf2873b553852e5c15d8fcace5b
Instruction Fuzzy Hash: 7E313D30D447986FFF35CA6E8C047FE7B656B89320F24471AE485521D0C379E985A753

Function 01017674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0101769A
GetWindowRect.USER32(?,?), ref: 01017710
PtInRect.USER32(?,?,01018B89), ref: 01017720
MessageBeep.USER32(00000000), ref: 0101778C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 68b8c6febcf4d38be83633bc4ef3af708599ea69b916e1cbc6a31900ade3728a
Instruction ID: 81aeee480d1d13ccad5a1e35e2bacb9e2763aeae6051d59b1dfdce075bf7840e
Opcode Fuzzy Hash: 68b8c6febcf4d38be83633bc4ef3af708599ea69b916e1cbc6a31900ade3728a
Instruction Fuzzy Hash: BB419F34601215EFDB12CF58C484FA9BBF5FF49314F1541A8E5949B259C739E941CF90

Function 010116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010116EB

Part of subcall function 00FE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE3A57
Part of subcall function 00FE3A3D: GetCurrentThreadId.KERNEL32 ref: 00FE3A5E
Part of subcall function 00FE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FE25B3), ref: 00FE3A65

GetCaretPos.USER32(?), ref: 010116FF
ClientToScreen.USER32(00000000,?), ref: 0101174C
GetForegroundWindow.USER32 ref: 01011752

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4dc26a7c998b47ae0534b0e70f6d3e564ee307f4a6a3f7c452655e0aeb70ab50
Instruction ID: 76279eab08da634d30b0b865d78d258d513b0b2a17de3ead12569f3f69d2ee41
Opcode Fuzzy Hash: 4dc26a7c998b47ae0534b0e70f6d3e564ee307f4a6a3f7c452655e0aeb70ab50
Instruction Fuzzy Hash: 98315D75D00249AFDB04EFA9C8858EEBBF9EF48304B5080A9E555E7211D739DE45CBA0

Function 00FEDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

_wcslen.LIBCMT ref: 00FEDFCB
_wcslen.LIBCMT ref: 00FEDFE2
_wcslen.LIBCMT ref: 00FEE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FEE018

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 927d0b5a1890a192b16d6a64a8e59516e550a6a69f35c1f88d64e8dc3591f697
Instruction ID: 348fbd0b686d6b2a6ba6001df4db71c9acfa6b1182921dd40cd09560f0ad4d2a
Opcode Fuzzy Hash: 927d0b5a1890a192b16d6a64a8e59516e550a6a69f35c1f88d64e8dc3591f697
Instruction Fuzzy Hash: 3321D171D00214AFCB20EFA9DD81BAEB7F8EF8A760F144065E905FB245D6749E409BA1

Function 01018FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

GetCursorPos.USER32(?), ref: 01019001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FD7711,?,?,?,?,?), ref: 01019016
GetCursorPos.USER32(?), ref: 0101905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FD7711,?,?,?), ref: 01019094

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 87f8f476c2fe0fbcb31709a07e520386ba01ac84a39385b83ee9f24f47948417
Instruction ID: 888855a708bc033091f75734c6aca953ebd0b0db471d90f3d94a244e542b1142
Opcode Fuzzy Hash: 87f8f476c2fe0fbcb31709a07e520386ba01ac84a39385b83ee9f24f47948417
Instruction Fuzzy Hash: E3219135600118FFEB66CF98C868EFA7BF9EB89354F044095FA8547155C33A9990DB60

Function 00FED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0101CB68), ref: 00FED2FB
GetLastError.KERNEL32 ref: 00FED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0101CB68), ref: 00FED376

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 675707536f1a22143d222f2b15444c93071410382e1585b4b45b1debaf13d18e
Instruction ID: bccbfa915aace8f73e8c19bfdd7fe9f938ac360fa2c46a823cadc0ac4ba599af
Opcode Fuzzy Hash: 675707536f1a22143d222f2b15444c93071410382e1585b4b45b1debaf13d18e
Instruction Fuzzy Hash: 9A21D1709082419F8310EF29C9808AEB7E8EF56328F504A1DF499C72E1D735D905EB93

Function 00FE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE102A
Part of subcall function 00FE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1036
Part of subcall function 00FE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1045
Part of subcall function 00FE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE104C
Part of subcall function 00FE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FE15BE
_memcmp.LIBVCRUNTIME ref: 00FE15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE1617
HeapFree.KERNEL32(00000000), ref: 00FE161E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13fe9b7764b2037cf573a5d83c8f9b9e7ac48d6e1dd1e851349c9f160158e261
Instruction ID: 8bf5175bad1e868a10abf99424f3b25fcbe314f04679ff3009311b824fae33c7
Opcode Fuzzy Hash: 13fe9b7764b2037cf573a5d83c8f9b9e7ac48d6e1dd1e851349c9f160158e261
Instruction Fuzzy Hash: 2721AF71E40208EFEF10DFA6C945BEEB7B8FF45354F084459E445AB240E735AA05EBA0

Function 01012782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0101280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01012824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01012832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01012840

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d93ba6b0bd86c85c3cbc57a566b5b7224a33182a682c0f7853a8e21312c8f0fc
Instruction ID: c79f21c295b901f5b25bb00a0a205356d201134e587fb11f116aa77386553ea7
Opcode Fuzzy Hash: d93ba6b0bd86c85c3cbc57a566b5b7224a33182a682c0f7853a8e21312c8f0fc
Instruction Fuzzy Hash: FB21B331205511AFE714EB24C844FAA7B95BF45324F248158F9A68B6D6C77AEC82C7D0

Function 00FE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FE790A,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?), ref: 00FE8D8C
Part of subcall function 00FE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00FE790A,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE8DB2
Part of subcall function 00FE8D7D: lstrcmpiW.KERNEL32(00000000,?,00FE790A,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?), ref: 00FE8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE7923
lstrcpyW.KERNEL32(00000000,?,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE7984

Strings

cdecl, xrefs: 00FE797B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 938ca875bf198a7e19d67bcf7129b8c0ac333abef651f01c70d8c1cfbfcb47b5
Instruction ID: eb128dd11e63ed556f35b74f15dc989bacfe2315478abca7fe57d2abc7b62c6c
Opcode Fuzzy Hash: 938ca875bf198a7e19d67bcf7129b8c0ac333abef651f01c70d8c1cfbfcb47b5
Instruction Fuzzy Hash: 2D11063A200381ABDB256F36CC44E7B77A5FF45390B10402AF946C7265EB36D801E751

Function 01017CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01017D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01017D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01017D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FFB7AD,00000000), ref: 01017D6B

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 7dc932ac6591ebcbb28f81af51537494156425686a6b482d46e5cf03b6298760
Instruction ID: 5b414b30f1dab75a39c11c117373cf88a1516e29634427da6498fc64090ddfb3
Opcode Fuzzy Hash: 7dc932ac6591ebcbb28f81af51537494156425686a6b482d46e5cf03b6298760
Instruction Fuzzy Hash: D611D232200619AFDB609F2CCC04A6A3FF5BB45364B514768F9B5C72E8D739C950CB40

Function 01015660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010156BB
_wcslen.LIBCMT ref: 010156CD
_wcslen.LIBCMT ref: 010156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01015816

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 170dd78e99eaa3b5b37487730501f07d1946cc868c6240ef6a2f829681c7fe35
Instruction ID: 287533f4006d837d8274d48ab0a0a401b70ca1307a9d171aa58ca71620eb188a
Opcode Fuzzy Hash: 170dd78e99eaa3b5b37487730501f07d1946cc868c6240ef6a2f829681c7fe35
Instruction Fuzzy Hash: B2110A7164020496EF209F65DC80AEF77ACEF8B368F004466FA85DE089DB7CD540CBA0

Function 00FB1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae22428ea4820c2699f2647545cd3a72b970bbef1827c639674d8e85d582feb7
Instruction ID: b3bb51a19319788c621c51bc97f508d03a7f45d62ac545d406a3e05dc9a78b45
Opcode Fuzzy Hash: ae22428ea4820c2699f2647545cd3a72b970bbef1827c639674d8e85d582feb7
Instruction Fuzzy Hash: DA01D6B26066167EF721257A6CD0FA7761CEF457B8F700325F521511C5DB69CC007970

Function 00FE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FE1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE1A8A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 463477f2570ef617a9aaf878eaaa3821ce057a3a5e31db8bdc3a2a6dcacd5188
Instruction ID: fe6f426a4d36b5a1cfe4f7c459c48c1bc7b57b458dba720dc32db6ccb4f8730b
Opcode Fuzzy Hash: 463477f2570ef617a9aaf878eaaa3821ce057a3a5e31db8bdc3a2a6dcacd5188
Instruction Fuzzy Hash: 91113C3AD01219FFEB10DBA6CD85FADBB78FB08750F2000A1E600B7290D6756E50EB94

Function 00FEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FEE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00FEE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FEE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FEE24D

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ee540bbdea83d31ac0d3e0004fc2d0a7a83fbd87815170053cc32cc06d3ff466
Instruction ID: 167803db273b1f0bbc205d7b75c9550075b3689eaf22d28e47f4d631f10f5697
Opcode Fuzzy Hash: ee540bbdea83d31ac0d3e0004fc2d0a7a83fbd87815170053cc32cc06d3ff466
Instruction Fuzzy Hash: 9B112B76D04354BBD7219FA8AC05B9F7FACAB45320F008215F954D3285D2B9CD0487A0

Function 00FAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FACFF9,00000000,00000004,00000000), ref: 00FAD218
GetLastError.KERNEL32 ref: 00FAD224
__dosmaperr.LIBCMT ref: 00FAD22B
ResumeThread.KERNEL32(00000000), ref: 00FAD249

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 37396b5634af6d2de3f2c1d4edfa55edd917e2e1fbdc84f81d27ab4f8a0199ea
Instruction ID: 441ef908479e5137c9a4cb3e2c95bf1b0c05634cfb58b3d24adf6e3686195ce2
Opcode Fuzzy Hash: 37396b5634af6d2de3f2c1d4edfa55edd917e2e1fbdc84f81d27ab4f8a0199ea
Instruction Fuzzy Hash: 4701F9F68451047BD7216BA5DC09BAE7AADDF83330F104219F926965D0DF75C901E7A0

Function 01019EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

GetClientRect.USER32(?,?), ref: 01019F31
GetCursorPos.USER32(?), ref: 01019F3B
ScreenToClient.USER32(?,?), ref: 01019F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 01019F7A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7b80b70c68de7f43b96d129b70c96cbbe9a629b94d0d55750a1bc0bbc976293e
Instruction ID: 73d699f2e49e50a8755ed3de2c7caa39fae1317bb566ee4ede977cb553292f29
Opcode Fuzzy Hash: 7b80b70c68de7f43b96d129b70c96cbbe9a629b94d0d55750a1bc0bbc976293e
Instruction Fuzzy Hash: 06115A3290021AFBEB10DF68C8559EE7BB8FB45315F000459F981E3144D339FA81CBA1

Function 00F8600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F8604C
GetStockObject.GDI32(00000011), ref: 00F86060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8606A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ffba58e76218f4f8657e9f8d4b814066d70f386acc12b0d84597192f929f7239
Instruction ID: e62b0a326f6a92e7dca0226f7d790fc8863ab1d59f36d53afb8bcc852247b347
Opcode Fuzzy Hash: ffba58e76218f4f8657e9f8d4b814066d70f386acc12b0d84597192f929f7239
Instruction Fuzzy Hash: 3911AD72501508BFEF225FA48C44FEABB69FF083A4F000205FA0492100C73BDC60EBA0

Function 00FA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FA3B56

Part of subcall function 00FA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FA3AD2
Part of subcall function 00FA3AA3: ___AdjustPointer.LIBCMT ref: 00FA3AED

_UnwindNestedFrames.LIBCMT ref: 00FA3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FA3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FA3BA4

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9cb3fd379d20401862ab825dc229fcd493bafa54dc8765dd14c4f76a77480ecb
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C70140B2500148BBDF115E95DC42EEB7F6EFF8A754F044014FE4856121C776E961EBA0

Function 00FB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F813C6,00000000,00000000,?,00FB301A,00F813C6,00000000,00000000,00000000,?,00FB328B,00000006,FlsSetValue), ref: 00FB30A5
GetLastError.KERNEL32(?,00FB301A,00F813C6,00000000,00000000,00000000,?,00FB328B,00000006,FlsSetValue,01022290,FlsSetValue,00000000,00000364,?,00FB2E46), ref: 00FB30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FB301A,00F813C6,00000000,00000000,00000000,?,00FB328B,00000006,FlsSetValue,01022290,FlsSetValue,00000000), ref: 00FB30BF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7e6067ad7a07cfffeb373a120307396f23024f4475d7caeeb0f501000aaf1597
Instruction ID: a9734c94517b7746bf612dbaf0cad498c93f08682b479d890e8bbb22d077d409
Opcode Fuzzy Hash: 7e6067ad7a07cfffeb373a120307396f23024f4475d7caeeb0f501000aaf1597
Instruction Fuzzy Hash: 5601FC36BC5332ABD731597A9C44AD77798AF057F5B200620F945D3144C72AD901DBD0

Function 00FE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FE747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FE7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FE74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FE74CA

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5b1711e8adc9b972e1dea17b64098d96f8c216cf91861dcb26e8afce344517c7
Instruction ID: 3e6d2c4454bab136ce0a3add818a3a3379a0887d285b36bf87f22dd3c9b8fe8b
Opcode Fuzzy Hash: 5b1711e8adc9b972e1dea17b64098d96f8c216cf91861dcb26e8afce344517c7
Instruction Fuzzy Hash: 46118EB5249394DBF730EF15DD08B927BFCEB00B00F108569A656D61C1D775E904EB50

Function 00FEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB126

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3a114f7c5349322e018c459628537350dc6045676dc0e3f77a0596fc1643bc02
Instruction ID: 52b6835da0aa0c026466800c95761d02895c92d6307e2e8ce6e0ea78408434ee
Opcode Fuzzy Hash: 3a114f7c5349322e018c459628537350dc6045676dc0e3f77a0596fc1643bc02
Instruction Fuzzy Hash: 3D115E31C4165CE7DF10AFE5E9987EFBB78FF4A721F104086D981B2184CB389550AB51

Function 01017E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01017E33
ScreenToClient.USER32(?,?), ref: 01017E4B
ScreenToClient.USER32(?,?), ref: 01017E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01017E8A

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ebb288f86585274e56c4d483dfcf1843a6fe14dd10a5f86023e08a103d9e423b
Instruction ID: d7af0d691c6405a32965b670a0283985ec680e1e3052fece4fde87f486a32a42
Opcode Fuzzy Hash: ebb288f86585274e56c4d483dfcf1843a6fe14dd10a5f86023e08a103d9e423b
Instruction Fuzzy Hash: 0C1153B9D0020AAFDB51CF98C584AEEBBF9FF08310F509066E955E3214D779AA54CF90

Function 00FE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FE2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE2DD6
GetCurrentThreadId.KERNEL32 ref: 00FE2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FE2DE4

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c9ebf6ec3a6ee00c37b9e33eb5873c1619758fd7c8675270cb8c03f307680446
Instruction ID: 899fea33c0f44e2329e5e30854b5ff4c90cee312578177f5e36eb2cdb5d55f99
Opcode Fuzzy Hash: c9ebf6ec3a6ee00c37b9e33eb5873c1619758fd7c8675270cb8c03f307680446
Instruction Fuzzy Hash: 86E06D729812247AE7301A639D0DFEB3E6CEB46BA1F000515B205D1084EAAAD840D7B0

Function 01018863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F99693
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996A2
Part of subcall function 00F99639: BeginPath.GDI32(?), ref: 00F996B9
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01018887
LineTo.GDI32(?,?,?), ref: 01018894
EndPath.GDI32(?), ref: 010188A4
StrokePath.GDI32(?), ref: 010188B2

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 94f38e2817a81f6839959b015ca6a213cb2f334066cb6a7fd91d4a990d8e0987
Instruction ID: e4c7d0480c5fd4d284085761237ec9fb6ae98d6465f52233ffe2b64a4064c71e
Opcode Fuzzy Hash: 94f38e2817a81f6839959b015ca6a213cb2f334066cb6a7fd91d4a990d8e0987
Instruction Fuzzy Hash: 72F03A36085258BAEB225E98AD0AFCA3F69AF06310F048141FA91650D5C7BE9211DBE9

Function 00F998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F998CC
SetTextColor.GDI32(?,?), ref: 00F998D6
SetBkMode.GDI32(?,00000001), ref: 00F998E9
GetStockObject.GDI32(00000005), ref: 00F998F1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4d0f3b104c53bb2ad97f6b9ac12c4199571cf8b4af212c633f13c71f5cfc6241
Instruction ID: 83da76b08a5570c368c2663fbdba2e9c4f54652b986879dbd7c2c78d3fba7ae7
Opcode Fuzzy Hash: 4d0f3b104c53bb2ad97f6b9ac12c4199571cf8b4af212c633f13c71f5cfc6241
Instruction Fuzzy Hash: 7FE065316C4280AAEB315B74B909BD83F11AB12335F18821AF6F5580D4C37A86409B11

Function 00FE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FE1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FE11D9), ref: 00FE163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FE11D9), ref: 00FE1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FE11D9), ref: 00FE164F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 188e1bca3794f324cb756bec0ed5071c9f3f61b7c07f7afef58fa068bc9a9991
Instruction ID: a8881e6bab4ef774b2bfcb96dbc7e7015b4cecba2c8ec1e70a2326b726355abe
Opcode Fuzzy Hash: 188e1bca3794f324cb756bec0ed5071c9f3f61b7c07f7afef58fa068bc9a9991
Instruction Fuzzy Hash: A5E08631A41211ABE7301FA29F0DB863B7CBF457A1F144808F285C9084D63DC540C750

Function 00FDD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FDD858
GetDC.USER32(00000000), ref: 00FDD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FDD882
ReleaseDC.USER32(?), ref: 00FDD8A3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 87b858ad5f86962938d475e031a34a6ef59be52bd4cbcf7e4afcaf8efe47640f
Instruction ID: 30c12e56c298e8e524cd14fb1f497b515445592817e93a405c24ada1227fe1d5
Opcode Fuzzy Hash: 87b858ad5f86962938d475e031a34a6ef59be52bd4cbcf7e4afcaf8efe47640f
Instruction Fuzzy Hash: 30E09AB5840205EFEF61AFE0D60866DBBB6FB08311F249459F98AE7244C73D9941AF50

Function 00FDD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FDD86C
GetDC.USER32(00000000), ref: 00FDD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FDD882
ReleaseDC.USER32(?), ref: 00FDD8A3

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0206d9c6c8dc10170b5d6e3b74a4dc91d9ba230bb7081064b3fb7754a2c3eb08
Instruction ID: 6b4b45f5203e5de42b9201613220ecae58db3afaa4afcaaab33a2fba054e76fe
Opcode Fuzzy Hash: 0206d9c6c8dc10170b5d6e3b74a4dc91d9ba230bb7081064b3fb7754a2c3eb08
Instruction Fuzzy Hash: 77E09A75C40204DFEF61AFA0D50866DBBB5BB08311B149449F98AE7244C73DA901AF50

Function 00FF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FF4ED4

Strings

*, xrefs: 00FF4E10
LPT, xrefs: 00FF4DFB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d94d7126514f5317c02ed57b753b64f247cfcb12e75b1f0f18c723b7956303ce
Instruction ID: d87c3d101ca8eaf5b1002017be61cdf7f7209bc8995414c5716f0f616ad79fc3
Opcode Fuzzy Hash: d94d7126514f5317c02ed57b753b64f247cfcb12e75b1f0f18c723b7956303ce
Instruction Fuzzy Hash: 06917F75A002089FDB14DF58C884EBABBF1BF45314F188099E94A9F3A2D735ED85DB90

Function 00FAE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FAE30D

Strings

pow, xrefs: 00FAE2E5, 00FAE302

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1c81c14854593933f1ff5f67e09e20ac7a78b525537c82e095600919b075d42f
Instruction ID: 6087ca9f03cd87513822dd25927c845488a11467480c2664b150bdeee4576946
Opcode Fuzzy Hash: 1c81c14854593933f1ff5f67e09e20ac7a78b525537c82e095600919b075d42f
Instruction Fuzzy Hash: 67513CB1E0C30296CB257A15CD017FA3F989F917A0F3449A8E4D54229DEB398C95BF46

Function 00F9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F9E1B1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d41c995dd2d62313cc3a69f1d8bfdba820337f4e3207b8deeea7d2db48803105
Instruction ID: 2b00bc8339b8dac8ff56d7015bbd709b79d4fe519482140a4071289f8f844a9d
Opcode Fuzzy Hash: d41c995dd2d62313cc3a69f1d8bfdba820337f4e3207b8deeea7d2db48803105
Instruction Fuzzy Hash: 3B510475D04246DFEF19EF24C4816FA7BAAEF55320F284056ECA19F2D0D6389D42EB50

Function 00F9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F9F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F9F2BB

Strings

@, xrefs: 00F9F2AF

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d0beaae2e4fb395e04dc69b03aaf3bfe15c1196438a03a5919aeaa99a23e47b4
Instruction ID: 55de63d69b614b1617bc246e4d6a4f332db285cb990158f4210764d3bdcb9905
Opcode Fuzzy Hash: d0beaae2e4fb395e04dc69b03aaf3bfe15c1196438a03a5919aeaa99a23e47b4
Instruction Fuzzy Hash: 375155714087449BE320BF10EC86BABBBF8FF84304F91884DF2D942195EB758529CB66

Function 01005745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010057E0
_wcslen.LIBCMT ref: 010057EC

Strings

CALLARGARRAY, xrefs: 010057E6, 010057EB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 70f463a6dc233a87460caa9cd8cd8b9d7be18e08dd0658e5972081ae2a227984
Instruction ID: d455229cc89a2bad135cac22dae38454213d9608564c781ae174aa5473bee450
Opcode Fuzzy Hash: 70f463a6dc233a87460caa9cd8cd8b9d7be18e08dd0658e5972081ae2a227984
Instruction Fuzzy Hash: 38418F71A002099FDB15EFA9CC859BEBBF5FF49310F244069E945A7292E734DA81CF90

Function 00FFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FFD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FFD13A

Strings

|, xrefs: 00FFD10B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a21125140564e94a542e26c20a9eff51999de1e284b77785375397f77bd12041
Instruction ID: b050863b847a42075df5c20a46a50e9262f38cbe52b3b4c9bf32ca2c1dea9e24
Opcode Fuzzy Hash: a21125140564e94a542e26c20a9eff51999de1e284b77785375397f77bd12041
Instruction Fuzzy Hash: F7314D71D00209ABDF15EFA4CC85EEEBFBAFF05310F100019F915A6166E735AA16EB64

Function 0101356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01013621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0101365C

Strings

static, xrefs: 010135BC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5627fc2c4287f2ea1c70c4a09547773abda8117cfff57c1f1fd6cf7e794bd120
Instruction ID: 3fa922f74bc30bb82629d464fc4363954139879d279215f716309ee74e2e05ee
Opcode Fuzzy Hash: 5627fc2c4287f2ea1c70c4a09547773abda8117cfff57c1f1fd6cf7e794bd120
Instruction Fuzzy Hash: A6319071100204AEEB219F28DC80EFB73A9FF48764F008619F9A5D7284DA39E891D760

Function 01014537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0101461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01014634

Strings

', xrefs: 0101458E

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7c866652bc5f17122072f9a8cac4479b122628ce6f5e347891ab0cdcb9369af9
Instruction ID: 12bc9e71bfe5c1951f707c8f292749282640d9102948b2c47fe61ac01e2dac55
Opcode Fuzzy Hash: 7c866652bc5f17122072f9a8cac4479b122628ce6f5e347891ab0cdcb9369af9
Instruction Fuzzy Hash: 0D313674A0020AAFDB14CFA9C980BDA7BF5FB08304F14446AEA44EB356D775A901CF90

Function 010131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01013287

Strings

Combobox, xrefs: 01013249

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 066544093de1fac8b66dec529c8236d9235e8b8952f57ad616b47431b0af4efb
Instruction ID: 45825b6d209269330e483828ff5dd467a35b688b2b9c90a6805de35a366ce26f
Opcode Fuzzy Hash: 066544093de1fac8b66dec529c8236d9235e8b8952f57ad616b47431b0af4efb
Instruction Fuzzy Hash: 7F1193713002086FFF66AE58DC80EFB379AFB48364F104125F9549B295D6399C51C760

Function 01013710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F8604C
Part of subcall function 00F8600E: GetStockObject.GDI32(00000011), ref: 00F86060
Part of subcall function 00F8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8606A

GetWindowRect.USER32(00000000,?), ref: 0101377A
GetSysColor.USER32(00000012), ref: 01013794

Strings

static, xrefs: 01013757

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 82e1cbcdcd4fa2f0ff9c34133081d3c234b6250698b6a7f34d36dfc57e7a5519
Instruction ID: 807a368f42efb3ba1c3d83e0dc87761fbcc774005998194de07b8da9793319fc
Opcode Fuzzy Hash: 82e1cbcdcd4fa2f0ff9c34133081d3c234b6250698b6a7f34d36dfc57e7a5519
Instruction Fuzzy Hash: 8511267261020AAFEF11DFA8CC45AEA7BF8FB08314F004919F995E6244E739E8509B60

Function 00FFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FFCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FFCDA6

Strings

<local>, xrefs: 00FFCD66

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2be19759068d84af4ba3536f5e9c6ce0cd7121d0ceb854aab8d14df6cf39a7fc
Instruction ID: b7af80d14397e94c04ab478398477666d7b9836d99a5ac659fda91b646ea091b
Opcode Fuzzy Hash: 2be19759068d84af4ba3536f5e9c6ce0cd7121d0ceb854aab8d14df6cf39a7fc
Instruction Fuzzy Hash: 3311E37260163DBAD7344A668D44FFFBEA8EF127B4F00422AB26993090D2759840E6F0

Function 01013429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010134BA

Strings

edit, xrefs: 0101348F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4ed298f10e15dcedeb4c54ebc9b59352eb893863ad3333df4305f4ce959f4ed8
Instruction ID: 61068143d4d21f1175d2cbbf6b9a6f6266f9b7920000a2a4437338c0fea2e53c
Opcode Fuzzy Hash: 4ed298f10e15dcedeb4c54ebc9b59352eb893863ad3333df4305f4ce959f4ed8
Instruction Fuzzy Hash: 0811BF75140208AFEF628E68DC44AFB37AAFB05374F504324FAA19B1D8CB39EC519750

Function 00FE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

CharUpperBuffW.USER32(?,?,?), ref: 00FE6CB6
_wcslen.LIBCMT ref: 00FE6CC2

Strings

STOP, xrefs: 00FE6CBC, 00FE6CC1

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ea532bf36f2af582a215b8f7a2a71e8428b48169486b4a7ff0ad58ffb7274a28
Instruction ID: 83c7809fa62554614d7243716b280e24557fe5100a15e56427ddd02a90ea4ee1
Opcode Fuzzy Hash: ea532bf36f2af582a215b8f7a2a71e8428b48169486b4a7ff0ad58ffb7274a28
Instruction Fuzzy Hash: 62010432A0056B8BCB20AEBECC809BF73A6FA757A07500939E852D2181EB35D800E750

Function 00FE1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FE1D4C

Strings

ListBox, xrefs: 00FE1D16
ComboBox, xrefs: 00FE1CEB

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 87e1334a3f83a435735c038cbc87c80df1f8af2fb2176c4f41395b52474e97d9
Instruction ID: fbcde08b223ee5afc1b6b10da1038c185832455885a2c175ea4f9a7569c0a3c2
Opcode Fuzzy Hash: 87e1334a3f83a435735c038cbc87c80df1f8af2fb2176c4f41395b52474e97d9
Instruction Fuzzy Hash: 53014C71B01219ABCB14FBA6CC55DFE73A8FF06360B140519F872673C1EA759908A760

Function 00FE1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FE1C46

Strings

ListBox, xrefs: 00FE1C10
ComboBox, xrefs: 00FE1BE5

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9fef2616f5c53b79e67c001643a13899228e60fea116ce72de251dbfa9e7a216
Instruction ID: 598e772f8f6d6a4df5780e2b96174cc2e19380ca7d22c7a1a94f437413ffe2a4
Opcode Fuzzy Hash: 9fef2616f5c53b79e67c001643a13899228e60fea116ce72de251dbfa9e7a216
Instruction Fuzzy Hash: A901F771B811456BCB04FB96CE55EFF73A8AB12340F240029B406B7281EA799E08A7B1

Function 00FE1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FE1CC8

Strings

ListBox, xrefs: 00FE1C94
ComboBox, xrefs: 00FE1C69

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 91250d706b6938b5d86958e4cccf8fdcb994ff323d5c914c5dddec69094394b9
Instruction ID: 5e6be0ed9a8074c78110d48cc0e4c0c23dacdf76cf1f5e38eb2d0e6117bd1ed3
Opcode Fuzzy Hash: 91250d706b6938b5d86958e4cccf8fdcb994ff323d5c914c5dddec69094394b9
Instruction Fuzzy Hash: AB01DBB1B8115967CB14F79BCE45AFF73E8AB11340F640015B842B7281EA759F08E771

Function 00FE1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FE1DD3

Strings

ListBox, xrefs: 00FE1DA0
ComboBox, xrefs: 00FE1D75

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6b60b7af02545df54e9eb4b7cba22f899dcd45380985b106f5dd03415e4367de
Instruction ID: ad7f560c11ba7d88ddbcd529a41cd9c7660722c127538fecb597e92ea679d505
Opcode Fuzzy Hash: 6b60b7af02545df54e9eb4b7cba22f899dcd45380985b106f5dd03415e4367de
Instruction Fuzzy Hash: 17F0F971B4121967D714F7A6CC55BFF73A8BB02350F480919B462672C1EA759908A760

Function 0100747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01007493
_wcslen.LIBCMT ref: 010074B9

Strings

3, 3, 16, 1, xrefs: 01007483

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bbe4ad61aae27ef4fc9d11ebf2aa711217e6cb9cc269a02438d2eef2cc615ff3
Instruction ID: 48c0adcd88e427ce8cc2ce670209b61b4a437b59b7d30eaf8e5caf07292383ed
Opcode Fuzzy Hash: bbe4ad61aae27ef4fc9d11ebf2aa711217e6cb9cc269a02438d2eef2cc615ff3
Instruction Fuzzy Hash: BDE02341201250106273127D9CC157F76CDCFCA550B11142BF5C1C1196DFDCEDA153A0

Function 00FE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FE0B23

Strings

AutoIt, xrefs: 00FE0B17
Error allocating memory., xrefs: 00FE0B1C

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ab2e77f7937aed1ea1ded6d8bcf6c27c3f174b7feb5859a1dfd88ca2859aa036
Instruction ID: ce5acfd8e229a152f1f0d68ee5084d6ba2f77b9a95d96fa4ab87255f76a799e9
Opcode Fuzzy Hash: ab2e77f7937aed1ea1ded6d8bcf6c27c3f174b7feb5859a1dfd88ca2859aa036
Instruction Fuzzy Hash: B1E0D83128430837E12436557D43F897A859F06F20F10042AF7D4D94C38EDA689022E9

Function 00FA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FA0D71,?,?,?,00F8100A), ref: 00F9F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F8100A), ref: 00FA0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F8100A), ref: 00FA0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FA0D7F

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a0d93d680cbf70060637361140bfcb4489e04f3ff23bb60e07c0ca9aafaef80d
Instruction ID: 6ca1566a4a0af397955617625d061f0e77da6db0c706320868718139926ea5ed
Opcode Fuzzy Hash: a0d93d680cbf70060637361140bfcb4489e04f3ff23bb60e07c0ca9aafaef80d
Instruction Fuzzy Hash: A1E06DB42007018BE7709FB9E5087827BE0AB01B44F00892DE4C6C664ADFBDE4489B91

Function 00FF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FF302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FF3044

Strings

aut, xrefs: 00FF3038

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c71c915efa12b12f33aa31c8634dbec17fbf9ad74f2ac9e52f706376e1dfc14f
Instruction ID: 1371b06bb7edb29fd39a2945e6834b30491e440fe695bc8c0cc54f9c4ef3c77f
Opcode Fuzzy Hash: c71c915efa12b12f33aa31c8634dbec17fbf9ad74f2ac9e52f706376e1dfc14f
Instruction Fuzzy Hash: 7AD05EB254032867EA30A6A5AD4EFCB3A6CDB05650F0002A1B699D6085EAF9D984CBD0

Function 00FDD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FDD220

Strings

X64, xrefs: 00FDD2A8
%.3d, xrefs: 00FDD22B

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1d753c60d717f57a2a47be2e4f49bb01a4c03068c04574788a5ce5dcaa463894
Instruction ID: 53b939b9acc4ea96137d4ec45c7664588f99232dc650c78a82f48d362684dd4b
Opcode Fuzzy Hash: 1d753c60d717f57a2a47be2e4f49bb01a4c03068c04574788a5ce5dcaa463894
Instruction Fuzzy Hash: 91D012F2844109EADF509AD0CC45AF9B37DAB18342F648463F946D1100D628C5087761

Function 01012322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0101233F

Part of subcall function 00FEE97B: Sleep.KERNEL32 ref: 00FEE9F3

Strings

Shell_TrayWnd, xrefs: 01012325

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 524e5be799054a2ed1b6b993e1e36157b68146397ea633ac93642f694139d8f5
Instruction ID: ae5cd90ef240548137e7dd4677aec76cc3ad977bd6610e4e2305cac113cb3ecb
Opcode Fuzzy Hash: 524e5be799054a2ed1b6b993e1e36157b68146397ea633ac93642f694139d8f5
Instruction Fuzzy Hash: 52D0A9323C0300BBE274A271EC0FFCABA04AB00B00F0009167685AA1C8E8B9A840CB00

Function 01012356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101236C
PostMessageW.USER32(00000000), ref: 01012373

Part of subcall function 00FEE97B: Sleep.KERNEL32 ref: 00FEE9F3

Strings

Shell_TrayWnd, xrefs: 01012365

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ac7ac07583f8d5404959ec9e669b1f3bd1fc876badfb26bebaf8fb2bdc437198
Instruction ID: a8d2ad984a93164ed672d201c77713681b3dd222f8011371a6a44e29a77517cb
Opcode Fuzzy Hash: ac7ac07583f8d5404959ec9e669b1f3bd1fc876badfb26bebaf8fb2bdc437198
Instruction Fuzzy Hash: 3FD0A9323C13007BF274A271EC0FFCAB604AB04B00F0009167681AA1C8E8B9A840CB04

Function 00FBBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FBBE93
GetLastError.KERNEL32 ref: 00FBBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FBBEFC

Memory Dump Source

Source File: 00000000.00000002.1415595918.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.1415541106.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415790784.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1415977109.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416044775.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 41f46096da11a8d5308cc1aafce625fb386628107891241e3ed4241d0d946e9e
Instruction ID: c6d0c852dcd01fb1f0ba13dbafc61a5481f5926d0e71ab6e2c63e878a3eee0b2
Opcode Fuzzy Hash: 41f46096da11a8d5308cc1aafce625fb386628107891241e3ed4241d0d946e9e
Instruction Fuzzy Hash: C841D435A04206AFDF218FE6CC44BFA7BA5EF42320F144169F9599B1A1DBB18D01EF60

Analysis Process: firefox.exePID: 8044, Parent PID: 424COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000025F6C457372 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000025F6C4573D7

Strings

>, xrefs: 0000025F6C4581DC
>, xrefs: 0000025F6C457439
#, xrefs: 0000025F6C457402
z, xrefs: 0000025F6C4589B6
>, xrefs: 0000025F6C45B47F
z, xrefs: 0000025F6C45740B
#, xrefs: 0000025F6C455745
4, xrefs: 0000025F6C45B459
A, xrefs: 0000025F6C4573CF
#, xrefs: 0000025F6C4584B1

Memory Dump Source

Source File: 00000012.00000002.2603301962.0000025F6C455000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000025F6C455000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_25f6c455000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 699a8906cbbe854a41032d11fcf9a42eab065f866519b66fa761e5d3587e3967
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 65A3E531618E498BDB6EDF18DC856A973E9FB94301F54423ED88AC7251DF34EA028BC5

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1520348019.0000028EABAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1525150662.0000028EA4C95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555797149.0000028EA4C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1423129661.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561451577.0000028EABB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546351986.0000028EABB86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1422935933.0000028EA4D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1520348019.0000028EABAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.2595996200.0000025F6BE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.2595996200.0000025F6BE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.2595996200.0000025F6BE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2597479479.000002423ED0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1422935933.0000028EA4D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rs-experiment-loader-timerbrowsing-context-discarded_validateBranches/schema<main/nimbus-desktop-experiments__MSG_extensionDescription____MSG_searchUrlGetParams__ did not match due to targetingnimbus-desktop-experimentsbrowsing-context-discardedhttps://www.amazon.co.uk/WebExtensionDictionaryManifestWebExtensionLangpackManifestOptionalPermissionNoPromptOptionalPermissionOrOriginoptInToExperiment/recipe<optInToExperiment/branch<_generateVariablesOnlySchemahttps://www.facebook.com/google@search.mozilla.orgDEFAULT_REPLACEMENT_CHARACTERnimbus-desktop-experimentshttps://www.leboncoin.fr/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1519880112.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555797149.0000028EA4C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1485554681.0000028EA4EDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483749916.0000028EA4EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1519880112.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561159058.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545876423.0000028EAD3BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1421523532.0000028EA43AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525150662.0000028EA4C84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558880112.0000028EA3CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.7:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50025 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd71d07-40d6-4302-99d5-b50ea16f9055.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd71d07-40d6-4302-99d5-b50ea16f9055.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre